http://blogs.technet.com/neilcar/archive/2008/10/31/sql-injection-hijinks.aspx

Neil Capenter shows another example of why ASP and using Black list is a really bad idea.

This is really interesting because it shows
"ASP drops a percent sign from the query string if it isn't followed by two valid hex characters(0-9, A-F) when it actually interprets it via Request.QueryString. "

Neil proves this in a test page it shows that the earlier attacks are again being updated to go past filters. If companies have patched a fix over this type of hole then they will be facing a more complete attack soon.

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1697

The new version of URL scan specifically checks for this and is worth having in your toolkit.

SQL Injection prevention in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx

SQL Injection prevention in ASP.Net
http://msdn.microsoft.com/en-us/library/ms998271.aspx

Both excellent articles on preventing SQL injection.

https://download.spidynamics.com/Products/scrawlr/

Well worth downloading and running it is free and certainly a great tool to start testing for SQL injections on a website.

The big rule of doing any CRUD data jobs in any ASP/ASP.NET app with SQL Server is that you MUST use parameterized queries.

http://msdn.microsoft.com/en-us/library/cc676512.aspx

The article above though also outlines using Regular expressions to protect your web app by validating data before passing it through.

Below are some example functions for testing for int and removing anything other than int information from a string. Both provide a first basic layer to stopping SQL injection attacks in classic ASP, as lot of web apps use int as a key field in a in a database, hence it gets passed through with a querystrings. Hopefully these will prove useful to someone else.

function IsInt(strOriginalString)
dim objRegExp : set objRegExp = new RegExp
with objRegExp
.Pattern = "^\d+$"
.IgnoreCase = True
.Global = True
end with

IsInt = objRegExp.test(strOriginalString)
set objRegExp = nothing
end Function

function OnlyInt(strOriginalString)
Dim regEx, Match, Matches,returnString ' Create variable.
Set regEx = New RegExp ' Create a regular expression.
regEx.Pattern = "\d+" ' Set pattern.
regEx.IgnoreCase = True ' Set case insensitivity.
regEx.Global = True ' Set global applicability.
Set Matches = regEx.Execute(strOriginalString) ' Execute search.
For Each Match in Matches ' Iterate Matches collection.
returnString = returnString & Match.Value
Next
OnlyInt = returnString
end Function

So lately I have been working in old skool ASP. I hit the problem of sending a large exe file to a client the file size was 30 Meg. A couple of searches all turned to this page.

http://www.fogcreek.com/FogBugz/KB/errors/ResponseBufferLimitExceed.html

So I phoned my hosting company.. who promptly said no to my request to change the AspBufferingLimit . Not suprising this is the limit that stops a infinite loop from consuming the server.

So a few more google pages later and bit of hacking I have hopefully a working solution togther.

Hopefully this might be useful for someone in the future.



Response.AddHeader "Content-Disposition", "attachment; filename=mylargedownload.exe"
Response.AddHeader "Content-Transfer-Encoding","binary"
Response.ContentType = "application/octet-stream"
Const adTypeBinary = 1
Dim strFilePath
strFilePath = Server.Mappath("/download/mylargedownload.exe")
'This is the path to the file on disk.
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath
'1 MB
clChunkSize = 1048576
Dim i
For i = 0 To objStream.Size \ clChunkSize
Response.BinaryWrite objStream.Read(clChunkSize)
Response.Flush
Next
objStream.close
Set objStream = Nothing