Undoubtedly one of the most common vulnerabilities that I run across during penetration tests or web application security assessments is SQL injection. The fix is very easy for most programming languages, however one seems to be horribly neglected on the world wide web. If you search google for SQL injection prevention along with a specific language, you will run across many forum posts suggesting fixes, many of which are incorrect or simply deterrents that do’t fix the root of the problem. More specifically, there is a lack of examples online for PROPERLY preventing SQL injection on Classic ASP pages.
With that being said, simple filtration of certain characters, keywords, and other attempts to deter SQL injection are many times quite laughable to a security professional such as myself who knows many ways to circumvent such countermeasures. Aside from some of the feeble attempts at prevention I’ve seen, the end goal is to properly secure your resources regardless of past code written. With the lack of Classic ASP examples to properly prevent SQL injection, I am providing an example simple login page below on how to correctly and incorrectly perform database queries using Classic ASP and VBScript. There are other methods than the one shown below that work, but this seems to be the simplest. Enjoy!
<%@ Language ="VBScript"%> <% Option Explicit Dim cnnLogin, rstLogin, strUsername, strPassword, strSQL Const adCmdText =1'Evaluate as a textual definition Const adCmdStoredProc =4'Evaluate as a stored procedure %> <html> <head><title>Login Page</title> </head> <bodybgcolor="gray"> <% If Request.Form("action")<>"validate_login"Then %> <formaction="login.asp"method="post"> <inputtype="hidden"name="action"value="validate_login"/> <tableborder="0"> <tr> <tdalign="right">Login:</td> <td><inputtype="text"name="login"/></td> </tr> <tr> <tdalign="right">Password:</td> <td><inputtype="password"name="password"/></td> </tr> <tr> <tdalign="right"></td> <td><inputtype="submit"VALUE="Login"/></td> </tr> </table> </form> <% Else Set cnnLogin = Server.CreateObject("ADODB.Connection") cnnLogin.open "PROVIDER=SQLOLEDB;DATA SOURCE=localhost;UID=dbuser;PWD=dbpassword;DATABASE=test"
‘BAD WAY WITH CONCATENTATION DO’T DO IT!!!
strSQL =“SELECT * FROM users WHERE username=’“& Request.Form(“login“)&“‘ AND password=’“_