Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practice to avoid Blind SQL Injection Vulnerability in SQL Server - ASP.Net

Tags:

sql-injection

asp.net

what is the best practice to avoid SQL injections.

I have ran a McAfee Secure Check on my application, it shows a problem Blind SQL Injection Vulnerability in SQL Server

and the suggestion is as below

THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA. The following is an acceptable solution however it is not optimal. Implement content parsing on data input fields including URL parameters. Remove the following characters from any user or dynamic database input: (examples in VBScript) ' (escape the single quote) input = replace( input, "'", "''" ) " (double quote) input = replace( input, """", "" ) ) (close parenthesis) input = replace( input, ")", "" ) ( (open parenthesis) input = replace( input, "(", "" ) ; (semi-colon) input = replace( input, ";", "" ) - (dash) input = replace( input, "-", "" ) | (pipe) input = replace( input, "|", "" ) On text input it is recommended to append quotes around the user supplied input.

If i understand the suggestion correctly, i have to find all the forms in my application and validate it for not accepting any special characters like " ' ( ) *

Is there anything more to this?

How can i make sure my application is not Vulnerable for SQL injections

Edit

More Specification: 
    Protocol https Port 443 Read Timeout30000Method POST
Path /Login
Hea
ders
Referer=https%3A%2F%2Fwww.mydomain.org%2FLogin
Content-Type=application%2Fx-www-form-urlencoded
Body
ctl00_ScriptManager1_HiddenField=0
__EVENTTARGET=0
__EVENTARGUMENT=0
__VIEWSTATE=/wEPDwUJNjc2MTk0ODk1D2QWAmYPZBYCAgMPZBYCAgsPZBYCAgUPFgIeBFRleHQ
FNzxhIGhyZWY9Jy9SZWdpc3RyYXRpb24nIGNsYXNzPSdidXR0b24nPlJlZ2lzdGVyIE5vdzwvYT5kZEMqo
HfESjF9a2aAo6EwUZFLyVY43k2Ywc5HOrQBdZqz
__EVENTVALIDATION=/wEWCgLkzYaLDgKV/vKYDgKBuZWrDQKS/tSgCgLJloD/DALrw4jECgKb/IYvAu2
GxZoEAuemgo8LAoyWmLsKGesm2g0zKeoodCDHz6Mm9GhhkuncAqXhHTAcUjL1R1Y=
ctl00$header1$btnDisclaimerHTMLOK=OK
ctl00$header1$btnDisclaimerHTMLCancel=Cancel
ctl00$header1$btnSubmit=Register
ctl00$cc1$txtEmail=x' wAiTfOr dELay '0:0:20'--
ctl00$cc1$txtPassword=0
ctl00$cc1$cmdLogin=Log In
Protocol https Port 443 Read Timeout30000Method POST
Path /login/
Hea
ders
Referer=https%3A%2F%2Fwww.mydomain.org%2Flogin%2F
Content-Type=application%2Fx-www-form-urlencoded
Body
ctl00_ScriptManager1_HiddenField=0
__EVENTTARGET=0
__EVENTARGUMENT=0
__VIEWSTATE=/wEPDwUJNjc2MTk0ODk1D2QWAmYPZBYCAgMPZBYCAgsPZBYCAgUPFgIeBFRleHQ
FNzxhIGhyZWY9Jy9SZWdpc3RyYXRpb24nIGNsYXNzPSdidXR0b24nPlJlZ2lzdGVyIE5vdzwvYT5kZEMqo
HfESjF9a2aAo6EwUZFLyVY43k2Ywc5HOrQBdZqz
__EVENTVALIDATION=/wEWCgLkzYaLDgKV/vKYDgKBuZWrDQKS/tSgCgLJloD/DALrw4jECgKb/IYvAu2
GxZoEAuemgo8LAoyWmLsKGesm2g0zKeoodCDHz6Mm9GhhkuncAqXhHTAcUjL1R1Y=
ctl00$header1$btnDisclaimerHTMLOK=OK
ctl00$header1$btnDisclaimerHTMLCancel=Cancel
ctl00$header1$btnSubmit=Register
ctl00$cc1$txtEmail=x' wAiTfOr dELay '0:0:20'--
ctl00$cc1$txtPassword=0
ctl00$cc1$cmdLogin=Log In

I don't understand what is the issue McAfee found here. because for user login I am using parameterized stored procedure. and user inputs are validate on client side

like image 455
HaBo Avatar asked Feb 02 '12 15:02

HaBo

3 Answers

The best practice is to always parametrise your queries; that is, transform them into something like:

update your_table 
set cola=@param1, 
colb =@param2

The way you do this on C# for example, is:

using ( ...)
{
  comm = new  SqlCommand("update your_table set cola=@param1, colb=@param2",conn);
  comm.Parameters.AddWithValue("@param1",someValue);
  comm.Parameters.AddWithValue("@param2",someOtherValue);
  comm.ExecuteNonQuery();
}
like image 76
Icarus Avatar answered Nov 15 '22 03:11

Icarus

That is bad advice. It is painstaking, error prone, and likely to suffer from regression failure. The best approach is to only allow data access via paremeterized queries.

Then, regardless of the user input, you are not vulnerable to SQL injection.

like image 27
D'Arcy Rittich Avatar answered Nov 15 '22 04:11

D'Arcy Rittich

Actually a much more secure and auditable way to insure that your are not venerable to sql injection attacks via your web application is to insure that your web application does not have permission to execute any dynamic slq.

If you setup stored procedures, and only give your website rights to execute those stored procedures, you are virtually guaranteed to be safe, providing of course that your stored procedures don't do something funky.

like image 40
JonnyBoats Avatar answered Nov 15 '22 05:11

JonnyBoats
Sign in to Comment

Related questions

Save record on page leave
Use CodeOnTime asp.net
Use Roslyn to compile Controllers dynamically
Asp.net button object - runat server issue
Programmatically rendering a web UserControl
DropDownList not posting back, even with AutoPostBack set
T-SQL AES Encryption vs Hashing/Salting for logging in users to website
using delegates in ASP.NET to handle asynchronous operations
Using Inner HTML with an ASP:Button?
How to insert data into an existing xml file in asp.net?
populate ASP.NET dropdownlist using javascript
Which account does asp.net need permissions setting on in .net 4 on Win7?
How to change the background color of AjaxControlToolkit HtmlEditorExtender control?
How To Cast Ilist To ArrayList?
cross domain call with jQuery jsonp to ASP.NET web service
updatepanel only updates first time then wont update again
c# - How do I loop through a time range
Registering .ascx ASP.NET User control in ASP.NET Page or Master Page will load it or not?
Ordering Entity Framework items and child items for MVC view
How to access textbox, label inside update panel from code behind using asp.net web forms

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!