http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

Having spent a good couple of hours this week cleaning up XP Antivirus 2008 and one case having to do it twice..Sigh It is was very interesting to see this article. Everyone should read it, the quality of the attack that XP Antivirus 2008 uses is quite scary and will probably start to set a bench mark for coming attack. It will require a lot of education to protect user for this time of threat.

SQL Injection prevention in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx

SQL Injection prevention in ASP.Net
http://msdn.microsoft.com/en-us/library/ms998271.aspx

Both excellent articles on preventing SQL injection.

https://download.spidynamics.com/Products/scrawlr/

Well worth downloading and running it is free and certainly a great tool to start testing for SQL injections on a website.

I have been experimenting with finding quick fixes on an existing site with Xss and using the browser file in ASP.NET to get a system wide Anti XSS implementation without have to go through each bit of code.

By no means is this a perfect solution you should go through all of the code that you are working on but sometimes you need to get up running defence.

Also this technique I am experimenting would be potentially useful for starting off with a new site with, a set of basic controls that have Microsoft Anti Scripting library by standard applied to.

Links to Microsoft Anti Scripting Library.

http://www.microsoft.com/downloads/details.aspx?familyid=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

Example:
http://msdn.microsoft.com/en-us/library/aa973813.aspx

This is the code I am tinkering with:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using Microsoft.Security.Application;
using System.Web.UI.WebControls;

namespace UnwindSoftwareLtd.Web.StandardAxss
{
public class LabelControl : System.Web.UI.WebControls.Adapters.WebControlAdapter
{

protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
((Label)base.Control).Text = AntiXss.HtmlEncode(((Label)base.Control).Text);
base.Render(writer);
}
}
}

Ideally though I would like Anti Scripting Lib to be applied to all MS controls, it would be switched on by default. I accept though there applications that need to use for example Label control to output Java Script, but it would be great if you could use switch to say don't use the Anti Scripting library or I want to output Javascript format for that.

James

The big rule of doing any CRUD data jobs in any ASP/ASP.NET app with SQL Server is that you MUST use parameterized queries.

http://msdn.microsoft.com/en-us/library/cc676512.aspx

The article above though also outlines using Regular expressions to protect your web app by validating data before passing it through.

Below are some example functions for testing for int and removing anything other than int information from a string. Both provide a first basic layer to stopping SQL injection attacks in classic ASP, as lot of web apps use int as a key field in a in a database, hence it gets passed through with a querystrings. Hopefully these will prove useful to someone else.

function IsInt(strOriginalString)
dim objRegExp : set objRegExp = new RegExp
with objRegExp
.Pattern = "^\d+$"
.IgnoreCase = True
.Global = True
end with

IsInt = objRegExp.test(strOriginalString)
set objRegExp = nothing
end Function

function OnlyInt(strOriginalString)
Dim regEx, Match, Matches,returnString ' Create variable.
Set regEx = New RegExp ' Create a regular expression.
regEx.Pattern = "\d+" ' Set pattern.
regEx.IgnoreCase = True ' Set case insensitivity.
regEx.Global = True ' Set global applicability.
Set Matches = regEx.Execute(strOriginalString) ' Execute search.
For Each Match in Matches ' Iterate Matches collection.
returnString = returnString & Match.Value
Next
OnlyInt = returnString
end Function