SQL Injection & Cross-Site Scripting (XSS)

23 06 2009

Today saw the need for me to test a current web application I’m working on for SQL Injection and Cross-Site Scripting. Although I was aware of both, I’d never had to test for them before. So in order to test for them, I had to learn how to do them first. I’m going to keep this post basic, as I found quite a few very useful pages & articles which I will link to at the end.

SQL Injection:

When creating or updating a database table, in my web application I am going through a Data Access Layer (DAL). I always use paramaterised queries as a rule, as I was aware that this was important security wise. To test SQL injection capabilities on my web application, I created a new table in my database called TestTable. Then I went to a web form that ultimately runs the UPDATE command on my database. In the ‘Description’ text fields, I inserted the following text
'; DROP TABLE TestTable --'
Which could result in the SQL code being
UPDATE NameTable
SET Name = 'Me', Description = ''; DROP TABLE TestTable --'
WHERE Id='1'

Obviously very dangerous code! Luckily, due to my DAL and parameterised queries, it took the text as literal text and not executable text and updated the database as expected, but with
'; DROP TABLE TestTable --'
as the description for the name ‘Me’. As I said, this is a basic explanation, there are also tests you should do on a login. I’m using a customised version of the .Net Membership API on my web application, in which case it was already accounted for. However, if you have written you’re own membership authentication, you should definitely test it for SQL injection.

The links I found useful for SQL injection as promised are:
http://msdn.microsoft.com/en-us/library/ms998271.aspx
http://www.sitepoint.com/article/sql-injection-attacks-safe/

Cross-Site Scripting (XSS):

If you are using Response.Write in your ASP.net pages, you are definitely vulnerable to XSS, also if you are using query strings. Even if you’re not, I would still recommend testing for any vulnerabilities. In order to test, I used some simple Javasript to pop up an alert box. I then pasted this on to the end of my url, i.e. “www.mywebsite.co.uk/login.aspx?’insert javascript here'” and pressing enter. If you get a pop up box with the text you gave to your Javascript alert command, then that’s bad! ASP.net handled my error with HttpRequestValidationException and didn’t carry out any of the Javascript, this is good! I tried the same thing when logged into my website, and also entered the Javascript in a text box on a form and submitted it. Again .Net handled it for me using a HttpRequestValidationException. All is well.

The links I found useful for Cross-site scripting as promised are:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.sitepoint.com/article/cross-site-scripting/

Conclusion:

I’m pretty happy with how my tests went. I am however going to add some extra validation checks on my text boxes anyway, make sure all UPDATE, INSERT and DELETE commands are carried out via stored procedure and also make sure my user for connection to the database can only execute required stored procedures and select statements (that are parameterised) and cannot do any direct table access.

As I mentioned at the beginning of the post, I am new to the in’s and out’s of SQL Injection and XSS, so my understanding on some points may be a little off! If anyone who reads this thinks I’m wrong in something I’ve said, or can add anything to anything I’ve said, please comment because I would like to learn more about this subject.

Advertisements

Actions

Information

2 responses

2 07 2009
RRaveen

*Note by blog owner*
I received this comment, and I’ve gone and had a look at the site and joined up. It’s a very useful site, still starting out, so go and have a look, join up and give it some support 🙂

*Original comment*
Dear Friends,

I hope you are doing well. I have launched a web site http://www.codegain.com and it is basically aimed C#,JAVA,VB.NET,ASP.NET,AJAX,Sql Server,Oracle,WPF,WCF and etc resources, programming help, articles, code snippet, video demonstrations and problems solving support. I would like to invite you as an author and a supporter. Looking forward to hearing from you and hope you will join with us soon.

Please forward this email to all of your friends who are related IT. Send to us your feed about site also.

Thank you
RRaveen
Founder CodeGain.com

6 07 2010
sql injection

nice info thx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: