WebApp Sec mailing list archives
Re: Web Forms filtered with SQL constraints
From: tie <tie () ankh morp org>
Date: Wed, 06 Oct 2004 12:44:16 +0300
Hi Bénoni,Getting the source of your JavaScript code is always possible - no matter what tricks you apply. Denying right-click, hover over or whatever else you can think of will not save your code from prying eyes. After all , the code is transmitted in clear text between you and the server . You can use many applications (apart from browsers) to get the source - see Achilles for example. Hiding your JavaScript sources however, should not be your concern.
JavaScript is a CLIENT-side scripting language. It is getting interpreted on the CLIENT side. And client=attacker. The attacker has full control on any code that is executed on his PC. So, the attacker can easily just skip your JavaScript checks and here you are with unverified input. You don't need to see/analyze the validation checks when you can just skip them :)
You cannot provide security through JavaScript. It is only used to provide convenience to your 'legal' visitors. Your server-side .ASP scripts should NEVER rely on client-side input validation. Big No-No here.
Instead, you should verify the input inside your .ASP scripts, on the server side. Validate them, as there is no client-side checking at all - there is really none, from the attacker's point of view.
Regards, tie Bénoni MARTIN wrote:
Hi list !
I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) formulaires people have to fill in. To avoid
SQ injection attacks and other tricks, I have set up some Jscript filtering on each field (i.e. for instance a name can just
be alphabet's characters and no figures :) ), and I am planning to do the same on my Database (setting up constraints).
But I have 2 questions:
- How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, quite normal :(
... Maybe it's not so good to tell people what I have done to filter them :) I saw some sites where it is impossible to see the
source, impossible to "hoover the site", impossible even to print ... But I have not been able to find on the net how to do
this :(
- How can I deal with possible SQL errors within an ASP page ? I mean, if a field has been filled in, bypass my Jscript
filtering (no matter how), and gets to the database but is then "stopped" by an SQL onstraint, how do I raise this
error on an ASP page without diplaying an explicit error (giving the user the name of my database for instance) ?
Cheers for any clue, I am lost on this topic :(
Current thread:
- Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 05)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 07)
- Re: Web Forms filtered with SQL constraints Saphyr (Oct 09)
- Re: Web Forms filtered with SQL constraints tie (Oct 07)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
- RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
- Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- <Possible follow-ups>
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
(Thread continues...)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)