[web] SQL injection
Author
im looking for people to test the login page on this site for sql injection:
clicky
here is a page that shows the records on the database:
clicky
and yes this is my page.. check the upper right corner for proof
i appreciate any help
Right off the bat, your script for checking passwords doesn't look at case sensativity. It also appears you arn't encrypting passwords at registration.
EDIT: Both of the above are a serious problem. I will do further testing later tonight.
[Edited by - Cygnus_X on November 17, 2006 12:41:00 PM]
EDIT: Both of the above are a serious problem. I will do further testing later tonight.
[Edited by - Cygnus_X on November 17, 2006 12:41:00 PM]
Author
The script converts all the letters into lowercase to check for illegal characters .
For the encryption i will work on it later.
my concern now is sql injection vulnerabilities.
Thanks for your help , waiting for more replies
For the encryption i will work on it later.
my concern now is sql injection vulnerabilities.
Thanks for your help , waiting for more replies
Use ereg() for checking against characters you want to be illegal. The way you have it now, your password is bypass, but the following would also work with your script:
byPass
byPASS
ByPasS
etc.
Thus, instead of having 1 valid password for your admin accout, you'd have 2^6 (64) valid passwords. I know it doesn't have anything to do with SQL injection, I just thought I'd point it out as a security issue.
EDIT: ereg() is a function in php. But, there should be a similar function in other languages.
[Edited by - Cygnus_X on November 17, 2006 3:28:05 PM]
byPass
byPASS
ByPasS
etc.
Thus, instead of having 1 valid password for your admin accout, you'd have 2^6 (64) valid passwords. I know it doesn't have anything to do with SQL injection, I just thought I'd point it out as a security issue.
EDIT: ereg() is a function in php. But, there should be a similar function in other languages.
[Edited by - Cygnus_X on November 17, 2006 3:28:05 PM]
Author
ok i will explain it more, lets say i login with username Admin, the code takes the username and changes it to lower case "admin" and checks if it has any illegal characters. if it doesnt have any illegal chars, it checks the database but using "Admin" that i entered.
Here is the code of the login screen
Here is the code of the login screen
<% Dim inUserName, inPassword inUserName = Trim(Request("username")) inPassword = Trim(Request("pass")) Dim sUsername, sPassword sUsername=LCase(Request.Form("username")) Function IllegalChars(sInput) Dim sBadChars, iCounter IllegalChars=False sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _ "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") For iCounter = 0 to uBound(sBadChars) If Instr(sInput,sBadChars(iCounter))>0 Then IllegalChars=True End If Next End function If IllegalChars(sUsername)=True Then Response.write("Invalid username or password") Else 'i didnt put all the database related code only the line that i used to select the record of the username inputed "SELECT * FROM Table WHERE userName = '"&inUserName&"'" If myRS.EOF Then response.write("This Account doesn't exist, click <a href=""http://www.ganarplatita.com.ar/emanuel/mail.asp"">here</a> to create one") Else 'here i compared the password inputed in the login screen with the password saved in the database(of the record that was selected according to the username inputed) if (StrComp(myRS("password"), inPassword, vbTextCompare) =0) Then session("user")= inUserName response.redirect("game.asp") Else session("user") = "" response.write("incorrect password") End If End If End If
Ugly. The simple and painless way would be to quote your string so it cannot be interpreted as SQL code at all, a functionality which most SQL interfaces provide.
However, since you're using ASP, you might want to take a look at the safer, faster and cleaner Parametrized Queries.
However, since you're using ASP, you might want to take a look at the safer, faster and cleaner Parametrized Queries.
Author
Thanks toohrvyk, but did the code i provide have any vulnerabilities?
i also want to put that same system of checking for illegal chars/strings to the create account page. so that no one can create an account like: admin or admin2
i also want to put that same system of checking for illegal chars/strings to the create account page. so that no one can create an account like: admin or admin2
in sBadChars=array, you may want to include the "update" statement as an exception. Just something to consider.
Other than that, your code looks good to me. Though... I'm not very strong in .asp.
Other than that, your code looks good to me. Though... I'm not very strong in .asp.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
