Web Application Security : Solutions

4 Solutions
 

4.1 Some Ideas

There are a number of ideas to fix this two security problems. The basic approach is to create a library of ASP functions which can be used without much hassle. The advantage of this is that it can be used very easily. But it’s not the best way, because you need to think of it every time you read some request. The one and only place where you forget to use this functions might be the door for an attacker. The other major disadvantage is that this requires a system for code sharing to ensure that every Web application uses current functions.

        Combined with the ASP functions it’s possible to create a checker tool that reads the source files on the server and tries to detect the parameters which aren’t checked. This could even be automated using command line options and/or a configuration file.

        Another idea that floated around in my head was to create an ISAPI filter, so that you don’t have to rewrite the applications. This would be a great advantage, but it has some disadvantaged. The most serious problem is the fact that in the ISAPI filter you can’t know whether to protect this query against SQL injection
or cross-site scripting. As we have seen, both need different filtering. It might be possible to solve this using some configuration files. I have decided not to dig into this for the moment, because it would be quite time consuming.

       As I find the idea of the checker tool very sexy I decided to implement the ASP
functions and a checker tool.

Web Application Security : SQL Injection and Attack Demonstration

2. SQL Injection

Now to the more dangerous part: SQL injection. This is a technique which allows
the attacker to execute malicious SQL statements. With the help of xp_cmdshell
it’s even possible to execute system commands if the database is accessed as ’sa’.
This bug exists whenever you use unvalidated data that has been submitted by
the client to perform a database query. Let’s take this SQL-Statement, where the
string “TERM” can be submitted by the visitor.

     SELECT NewsId, NewsTitle
    FROM T_News
    WHERE NewsTitle LIKE ’%TERM%’

         The client could craft the term to drop the table T News:
 

   SELECT NewsId, NewsTitle
   FROM T_News
   WHERE NewsTitle LIKE ’%’;
   DROP TABLE T_News --’

Yes, this is possible. Just submit ’; DROP TABLE T_News -- as the search term.
First the WHERE clause is closed with the single quote, and then we can start the
next statement with the semicolon. The two dashes at the end start a comment,
so the single quote which the developer has inserted after the user’s input doesn’t
produce a syntax error.
It’s also possible to select any other data and display it instead of the News which
the developer wanted to display on this page. You can use the UNION statement for
that. The only requirement is that both queries return the same number of columns
and the same data type in each column. If necessary use CONVERT to achieve that.
[1] shows a trick how you can find out how many rows are included in the query
using the HAVING clause. One example for a UNION crack:

    SELECT NewsId, NewsTitle
    FROM T_News
    WHERE NewsTitle LIKE ’%DOESNOTEXIST’
    UNION SELECT UserId, UserName
    FROM T_User --%’

 2.1 Protection: Approach I

Filter characters
Luckily this attack is much easier to protect against than cross-site scripting. Make
sure to remove or escape all single quotes in string parameters. Additionally enforce
that any numeric input is really numeric using the IsNumeric function call. The
ASP functions (see section 4.2) include some generic functions to prevent you from
SQL injection attacks if you use them every time. The numeric and date functions
check if the input data is valid and then explicitly convert them with CInt, CLng,
CDate, etc.

2.2 Protection: Approach II

ADODB Command
There is another approach which is very safe but more work to implement[12].
You can use ADODB prepared statements to automatically sanitize the data. See
appendix D for an example.
Please note, that in the example I have checked the numeric parameters. This
isn’t strictly required, but if you let it out you get some nasty error messages:
“Application uses a value of the wrong type for the current operation.”.