SQL Injection and Cross-Site Scripting
page 8 of 9
by Bryian Tan
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 45342/ 96

Points of Interest

Do not rely solely on client-side validation (JavaScript)

The attacker can bypass the client-side validation by disabling the JavaScript in web browsers. Do not depend exclusively on JavaScript to search and replace potentially dangerous HTML statement or SQL Injection keywords. Make sure to revalidate the user inputs at the server-side. I know is a lot of work, but for the sake of security we have to do it.

In the add comment section, the page is using the JavaScript to check for blank fields.  Try to disable the JavaScript on your browser and add the comment again. Click here to learn on how to disable and enable the JavaScript.

Replacing single quotation mark (') with two single quotation mark ('')

I saw some web site mentioning that SQL Injection vulnerability can be prevented by simply replacing single quotation mark with double quotation mark. That not always the case, the attackers still able to inject the SQL table with malicious script or HTML markup without the single quotation mark. Malicious users can bypass the filter by using different character encoding, please refer to "How To: Prevent Cross-Site Scripting in ASP.NET", table 1.

Inline Code/tags

There are several ways to display information from an ASP.NET program. We can display information in the page using an embedded code block. <% ... %> or using <%= … %> construction. Another way is to use data-binding syntax <%# … %> to bind control property values to data and specify values for retrieving, updating, deleting, and inserting data. Make sure to apply either the HttpUtility.HtmlEncode or Server.HtmlEncode methods to encode the form data and other client request before displaying it in the web page. This will help prevent possible Cross-Site Scripting injection attacks. With ASP.NET 4.0, the new <%: … %> code nugget-syntax will automatically HTML encode the output before it is rendered.

Stored procedure

I'm using stored procedure in my web application, are stored procedures immune to SQL Injection attacks? The answer is "it depends". If we are using dynamic SQL statements within stored procedure then it might open to SQL Injection attacks. Shown below is the stored procedure with dynamic SQL statement in it.

Figure 19

Update the comment field with the value ha ha ha';--. The "Update using inline query" and "Update using SP – Dynamic Query" button will update every comment field in the table with the specified value. On the other hand, the "Update using SP" button will only update the current record.

 Figure 20

Request validation (ASP.NET)

Please note that the ValidateRequest attribute in the @page directive is set to false on purpose to emulate the Classic ASP environment and prevent the .NET framework from throwing the error ("A potentially dangerous Request.Form value was detected from the client"). If you happen to come across this error message in your application, rethink the business logic or page architecture before disabling the request validation.

More reading

Adding Cross-Site Scripting Protection to ASP.NET 1.0

ASP.NET 2.0 Security Best Practices - Must Read Article on MSDN

How To: Prevent Cross-Site Scripting in ASP.NET

Security Practices: ASP.NET Security Practices at a Glance

SQL Injection

SQL Injection General Guidance

Stop SQL Injection Attacks Before They Stop You

View Entire Article

User Comments

Title: NIKE NFL jerseys   
Name: NIKE NFL jerseys
Date: 2012-07-02 10:09:59 AM
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes
,heap jerseys,2012 nike nfl Jerseys,nba jersey and shorts,oklahoma city thunder jersey,official jeremy lin new york knicks jersey,NFL Jerseys Wholesale,blake griffin jersey blue,NFL jerseys For Sale online.All Our Jerseys Are Sewn On and Directly From Chinese Jerseys Factory
,Wholesale cheap jerseys,Cheap mlb jerseys,]Nike NFL Jerseys,Cheap China Wholesae,Wholesale jerseys From China,2012 nike nfl Jerseys,Jerseys From China,,2012 nike nfl Jerseys,Revolution 30 nba jerseys,jersey of nba chicago bulls direk rose ,nfl jerseys,green bay packers jerseys wholesale,Buffalo Bills nike nfl jerseys sale,good supplier soccer jerseys,cool base mlb jerseys,Revolution 30 nba jerseys,2012 stanley cup nhl jersey,
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes. www.yourjerseyhome.com
Title: SQL Injection and Cross-Site Scripting   
Date: 2011-01-18 6:25:25 AM
The best SQL Server Site Scripting
Title: avrail   
Name: Refat Eid
Date: 2010-09-19 3:02:00 AM
where can i found the TestDBSetup.sql ?
Title: Really Good   
Name: Ankit Shivankar
Date: 2010-09-15 1:04:32 AM
its really good.....and easy to understand

dear Bryian ...
M facing some problem in my personal project can u help me..
if u can then plz contact me on mail id that is shiva.ankit@gmail.com
Title: Download Link   
Name: Bryian Tan
Date: 2010-09-14 8:21:24 PM

Sorry, I think I forgot to include the download link. Anyway, please download the sample code from here http://download.ysatech.com/SQL-Injection-and-Cross-Site-Scripting/Sample_SQLInjection_XSS.zip
Title: Gustavo   
Name: Fernandez
Date: 2010-09-14 3:19:45 PM
Where is the link to download the code sample (TestDBSetup.sql)?
Title: Senior programmer/analyst   
Name: Greg Hilsheimer
Date: 2010-09-14 2:16:39 PM
where is link to download code

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-07-24 9:15:33 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search