What is this? From this page you can use the Social Web links to save Securing ASP applications from SQL injection and XSS to a social bookmarking site, or the E-mail form to send a link via e-mail.

Social Web

E-mail

E-mail It
July 22, 2008

Securing ASP applications from SQL injection and XSS

Posted in: Programming,Security

Recently I was alarmed that one of my late projects is under attack. It was one of my first websites I created using ASP+MS SQL.

Looking at .LOG files and database it was clear that the attack was done using SQL injection method, which is of course a shame on my work but it somehow slips through my fingers at certain lines of code. We all live and learn… There is a saying – who works, makes mistakes.

Anyhow, I was facing a problem that has to be sold, and finaly – I made it…

As I looked for more informations I noticed that the goal of this attack wasn’t the web server itself but the users who was visiting it. It was a XSS method (cross-site scripting) of infecting clients computers by redirecting them to a website with Trojan.

How was this done? Well, easily now that I look at it…
Using the SQL injection, the attacker updated “description” field in database which is displayed on products page. At the end of the field the attacked added some “<script src=>blablablah</script>” code. So, when products page rendered everything looked fine, but in the background that malicious Javascript code was running…

What I had to do is:

  • upgrade web application not to be vurnable to SQL injection
  • clean the database from malicious code

As I already said, the application environment was IIS + ASP + MS SQL.
I did some Googleing to see what others have to say on this topic and I found an interesting article which helped me understand and solve this problem, here the link.

I updated application with checking on input parameters, and then I added a small piece of code to intercept possible attacking tryouts. What actually that code is doing is reading URL that clients calls and search for certain keywords in it, like “update”, “delete”, “.js”, etc. Here’s the example:

  1. < %
  2. ‘ An inverse to Server.URLEncode
  3. function URLDecode(str)
  4.    dim re
  5.    set re = new RegExp
  6.    str = Replace(str, "+", " ")
  7.    re.Pattern = "%([0-9a-fA-F]{2})"
  8.    re.Global = True
  9.    URLDecode = re.Replace(str, GetRef("URLDecodeHex"))
  10. end function
  11.  
  12. ‘ Replacement function for the above
  13. function URLDecodeHex(match, hex_digits, pos, source)
  14.    URLDecodeHex = chr("&amp;H" &amp; hex_digits)
  15. end function
  16.  
  17. Dim strQuery
  18.  
  19. strQuery = Request.ServerVariables("QUERY_STRING")
  20. strQuery = Replace(URLDecode(strQuery), " ", "")
  21.  
  22. If InStr(UCase(strQuery),"EXEC") > 0 OR Len(strQuery) > 500 OR InStr(UCase(strQuery),".JS" OR InStr(UCase(strQuery),"UPDATE") > 0 Then
  23.    Response.End
  24. End If
  25. % >

Then I run a cleanup process on database, using the simple Replace() function on MS SQL, manually checking each table and fields with syntax like:

  1. UPDATE products SET description = REPLACE(description, ‘<script type="text/javascript"><!–mce:0–></script>’, );

So with the previous line I’m basicaly doing search/replace for certain malicious string in Description field that is rendering within that Products page on webshop…

I did some more Googleing and found a nice tool on MSDN called UrlScan, which basicaly does the same as the ASP script from above – it tries to intercepts SQL injection before it even gets to the ASP application.

 

Return to: Securing ASP applications from SQL injection and XSS