Do not rely solely on client-side validation
(JavaScript)
The attacker can bypass the client-side validation by
disabling the JavaScript in web browsers. Do not depend exclusively on
JavaScript to search and replace potentially dangerous HTML statement or SQL
Injection keywords. Make sure to revalidate the user inputs at the server-side.
I know is a lot of work, but for the sake of security we have to do it.
In the add comment section, the page is using the JavaScript
to check for blank fields. Try to disable the JavaScript on your browser and
add the comment again. Click here to learn
on how to disable and enable the JavaScript.
Replacing single quotation mark (')
with two single quotation mark ('')
I saw some web site mentioning that SQL Injection
vulnerability can be prevented by simply replacing single quotation mark with
double quotation mark. That not always the case, the attackers still able to
inject the SQL table with malicious script or HTML markup without the single
quotation mark. Malicious users can bypass the filter by using different
character encoding, please refer to "How To: Prevent
Cross-Site Scripting in ASP.NET", table 1.
Inline Code/tags
There are several ways to display information from an
ASP.NET program. We can display information in the page using an embedded code
block. <% ... %> or using <%=
… %> construction. Another way is to use data-binding syntax <%# … %> to bind control property values to data and
specify values for retrieving, updating, deleting, and inserting data. Make
sure to apply either the HttpUtility.HtmlEncode or Server.HtmlEncode methods to encode the form data and other
client request before displaying it in the web page. This will help prevent
possible Cross-Site Scripting injection attacks. With ASP.NET 4.0, the new <%: … %> code nugget-syntax will automatically HTML
encode the output before it is rendered.
Stored procedure
I'm using stored procedure in my web application, are stored
procedures immune to SQL Injection attacks? The answer is "it
depends". If we are using dynamic SQL statements within stored procedure
then it might open to SQL Injection attacks. Shown below is the stored
procedure with dynamic SQL statement in it.
Figure 19
Update the comment field with the value ha ha ha';--. The
"Update using inline query" and "Update using SP – Dynamic
Query" button will update every comment field in the table with the
specified value. On the other hand, the "Update using SP" button will
only update the current record.
Figure 20
Request validation (ASP.NET)
Please note that the ValidateRequest
attribute in the @page directive is set to false on purpose to emulate the
Classic ASP environment and prevent the .NET framework from throwing the error
("A potentially dangerous Request.Form value was detected from the
client"). If you happen to come across this error message in your
application, rethink the business logic or page architecture before disabling
the request validation.
More reading
Adding Cross-Site
Scripting Protection to ASP.NET 1.0
ASP.NET
2.0 Security Best Practices - Must Read Article on MSDN
How To: Prevent
Cross-Site Scripting in ASP.NET
Security
Practices: ASP.NET Security Practices at a Glance
SQL Injection
SQL
Injection General Guidance
Stop SQL
Injection Attacks Before They Stop You