WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

[Fwd: Re: Web Forms filtered with SQL constraints]

From: yahoouec () iitr ernet in
Date: Wed, 13 Oct 2004 07:28:59 +0530 (IST)


You need to perform validation on server otherwise the *wrong* user may

1. Disable javascript.This can be avoided by first finding wheather user
   has enabled/disabled javascript.

2. Make his own local page without javascript (but javascript enabled)    
and then submit the form to your server. This can also be disabled by  
you, by first checking HTTP_REFERER value.

3. Finally the *wrong* user may just use any HTTP spoofer available or
   do telnet at port 80, which you cannot stop.

Also viewing the javascript source code cannot be disabled ( If this had
been possible then Internet Explorer wont be able to display the page
ever)

Moreover,the applications you are talking about are JAVASCRIPT based which
executes on client side and can be disabled etc.

So its better to do all validation at server side.

bye
TARUN BANSAL




Perform good strong validation on the *server*, as everyone else has said

,
but also use parameterized queries.  I believe "plain old" ADO (vs ado.net)
supports them, though most of the time they're mentioned as  a "new" (?)

feature of ado.net.  You'll get a performance increase as well.




-----------------------------------------
Rage-Quote:heads%20bobbin'%20to%20the%20funk%20outya speaker


----- Original Message -----
From: "BĂ©noni MARTIN" <Benoni.MARTIN () libertis ga>
To: <webappsec () securityfocus com>
Sent: Tuesday, October 05, 2004 8:25 AM
Subject: Web Forms filtered with SQL constraints


Hi list !

I was wondering how to solve the 2 following problems: I have ASP (not

ASP.NET) formulaires people have to fill in. To avoid SQ injection
attacks and other tricks, I have set up some Jscript filtering on each
field (i.e. for instance a name can just be alphabet's characters and no
figures :) ), and I am planning to do the same on my Database (setting
up constraints).



But I have 2 questions:
- How can I hide my Jscript filtering from the user ? When I want to see

the

source, everything is diaplayed, quite normal :( ... Maybe it's not so good
to tell people what I have done to filter them :) I saw some sites where it
is impossible to see the source, impossible to "hoover the site",

impossible

even to print ... But I have not been able to find on the net how to do

this

:(

- How can I deal with possible SQL errors within an ASP page ? I mean, if a
field has been filled in, bypass my Jscript filtering (no matter how),

and gets to the database but is then "stopped" by an SQL onstraint, how
do I raise this error on an ASP page without diplaying an explicit error
(giving

the user the name of my database for instance) ?

Cheers for any clue, I am lost on this topic :(






----------------------------------------- (on isc)

________________________________________________________________________

Powered by TREND VirusWall: Information Superhighway Centre, IIT Roorkee


---------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: