WebApp Sec mailing list archives
RE: Web Forms filtered with SQL constraints
From: RSnake <rsnake () shocking com>
Date: Sat, 9 Oct 2004 13:15:22 -0700 (PDT)
These are two seperate issues. Your original comment was about protecting yourself using JScript. That's what my email was responding to. In regards to writing error conditions to trap user input after the fact, that's different - and good security. The main point is that it cannot be edited or modified by the user. JScript relies on the browser interpreting the script in the first place. I can turn off any rendering simply by telneting to port 80 and downloading the source manually, creating the query by hand, etc... and in effect bypassing any client side filtering you put in place. Writing ASP that protects itself on the server side is much better. I cannot bypass a well written filter because I don't have access to it without another out of band attack against the webserver (but if that's possible then the server probably has bigger problems). If you simply want to obfuscate your source there are some easy techniques, like MD5ing your source in JScript and then outputting the text as it renders. That'll stop 95% of people, but it's just obfuscation. Also, you can employ other tricks like keeping your JScript in a remote location and watching for referrer headers, etc... Also obfuscation. These are additive security measures, and they help, but it's not really security. Honestly, just give up on the idea of hiding your source, start thinking of it as client side input validation - not security, and focus on your server side security instead. You'll get a lot more bang for your buck. On Fri, 8 Oct 2004, [iso-8859-1] B?noni MARTIN wrote: | Date: Fri, 8 Oct 2004 17:09:21 +0100 | From: "[iso-8859-1] B?noni MARTIN" <Benoni.MARTIN () libertis ga> | To: RSnake <rsnake () shocking com>, webappsec () securityfocus com | Subject: RE: Web Forms filtered with SQL constraints | | Hi ! | | Thanks for the reply, it's as I was thinking about ! I went on the web to get some more infos about that, and I found this article: | http://www.developerfusion.com/show/4325/ | | So some tell this is a good idea, others say it's not, so I am lost :( :) | | | -----Message d'origine----- | De : RSnake [mailto:rsnake () shocking com] | Envoy? : vendredi 8 octobre 2004 01:42 | ? : webappsec () securityfocus com | Cc : B?noni MARTIN | Objet : Re: Web Forms filtered with SQL constraints | | | Nothing you do at the client side can be hidden. I can write a | client that downloads the source, or watch it via a proxy, or | look at the cache, etc.... don't even bother trying. You | should consider anything client side as protection from | inadvertant mistakes by users only, and you should always have a | fall back filter in place to catch the errors before they do any | damage. | | On Wed, 6 Oct 2004, Ian wrote: | | | Date: Wed, 06 Oct 2004 09:52:03 +0100 | | From: Ian <webappsec2 () fishnet co uk> | | Reply-To: webappsec () securityfocus com | | To: "[ISO-8859-1] B?noni MARTIN" <Benoni.MARTIN () libertis ga>, | | webappsec () securityfocus com | | Subject: Re: Web Forms filtered with SQL constraints | | | | On 5 Oct 2004 at 13:25, B?noni MARTIN wrote: | | | | > Hi list ! | | > | | > I was wondering how to solve the 2 following problems: I have ASP | | > (not | | > ASP.NET) formulaires people have to fill in. To avoid SQ injection | | > attacks and other tricks, I have set up some Jscript filtering on each field (i.e. | | > for instance a name can just be alphabet's characters and no figures | | > :) ), and I am planning to do the same on my Database (setting up constraints). | | > | | > | | > But I have 2 questions: - How can I hide my Jscript filtering from the | | > user ? When I want to see the source, everything is diaplayed, quite | | > normal :( ... Maybe it's not so good to tell people what I have done | | > to filter them :) I saw some sites where it is impossible to see the | | > source, impossible to "hoover the site", impossible even to print | | > ... But I have not been able to find on the net how to do this :( | | > | | > - How can I deal with possible SQL errors within an ASP page ? I | | > mean, if a field has been filled in, bypass my Jscript filtering (no | | > matter how), and gets to the database but is then "stopped" by an | | > SQL onstraint, how do I raise this error on an ASP page without | | > diplaying an explicit error (giving the user the name of my database for instance) ? | | > | | > Cheers for any clue, I am lost on this topic :( | | | | Hi, | | | | Using classic ASP with vbscript you would add this to the top of the page: | | | | <% on error resume next %> | | | | Then after every SQL query: | | | | <% | | if err then | | Response.write "There was a database error" | | ' Log to error to file | | end if | | %> | | | | I think the equivalent in JScript is the Try, Catch, Finally: | | | | http://msdn.microsoft.com/library/default.asp?url=/library/en- | | us/script56/html/js56jslrfjscripterrorstoc.asp | | | | Hope this helps | | | | Ian | | -- | | | | | | | | | | | | -R | | The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful. | | -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- Re: Web Forms filtered with SQL constraints, (continued)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
- RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
- Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
- RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
- RE: Web Forms filtered with SQL constraints Dr Death (Oct 12)
- Re: Web Forms filtered with SQL constraints Emil Filipov (Oct 14)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 14)
- Re: Web Forms filtered with SQL constraints saphyr (Oct 15)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 16)
- Re: Web Forms filtered with SQL constraints saphyr (Oct 15)