Hurricane Wilma has pretty much left the area, but the power is still blinking on and off in the area. Luckily I have battery backup, but sadly this means I don't have an excuse not to work ;), except for the fact that the kids are absolutely going bonkers with all the “excitement“ of the bad weather.
As mentioned earlier, ASP.NET 2.0 Security Best Practices has me thinking about ASP.NET web application security. I have written two posts on the subject already:
These are pretty basic security measures you add to all ASP.NET web applications, but nonetheless still worth talking about. Another ASP.NET security problem worth talking about is SQL Injection Attacks.
What are SQL Injection Attacks ?
SQL Injection is a method of hacking a website by entering SQL Commands into input fields, querystrings, etc. to try to manipulate the SQL statements being sent to and from a database. Many times the “hacker“ is entering T-SQL in various input fields of your web forms in an attempt to log into your website without an account, drop tables in your database, change data in your tables, or access information in your tables.
The nightmare happens when you have a form like below and the data used in those fields is not only not checked and constrained in its values, but also used along with string concatenation to create the SQL query that will be sent to the database.
<form name="frmLogin" action="login.aspx" method="post">
Username: <input type="text" name="username">
Password: <input type="text" name="password">
<input type="submit">
form>
string _username = Request.Form["username"];
string _password = Request.Form["password"];
string sql = "select * from users where username='"
+ _username + "' and password='" + _password + "'"
If I entered something as simple as below for username and password, I would be able to gain access to the application unchecked:
Username: ' or 1=1 ---
Password: [Empty]
Preventing SQL Injection Attacks
In general, the ASP.NET web developer should do the following to avoid SQL Injection Attacks:
- Use parameterized queries or stored procedures to access a database as opposed to using string concatenation.
- Limit the amount of characters in input fields (e.g. username and password fields) to a proper amount. (MaxLength = ??)
- Validate text input for improper characters ( like ' ). For ASP.NET you would use RequiredFieldValidator and RegularExpressionValidator.
- Do not display errors to the user that contain all kinds of wonderful hacking information like table names, fields, database drivers, sql statements, etc. Use a custom generic web page in ASP.NET.
I have already talked about validating text input using Regular Expressions to combat Cross-Site Scripting.
Parameterized queries and stored procedures ( assuming you are not using string concatenation in your sproc) would help you avoid SQL Injection Attacks and would look like this:
string sql = "select * from users where
username = @Username and
Password = @Password"
and passing in values for @Username and @Password appropriately.
Rather than going into this in detail, there are 2 excellent older webcasts that talk about SQL Injection and how to avoid it:
Protecting Your System From SQL Injection Attacks (Webcast)
Dave’s Top 10 Ways to Secure Your Web Application (Webcast)
Conclusion
Stay up-to-date on ASP.NET 2.0 Security Best Practices and make sure are properly validating the data entered into your application using Reqular Expressions and the ASP.NET RegularExpressionValidator. This cannot only help you with Cross-Site Scripting, but also SQL Injection Attacks.
When using Dynamic SQL in your ASP.NET web applications, use parameterized queries in your applications so that you can avoid the risk of SQL Injection Attacks. A good O/R Mapper or Code Generator will take care of this for you. The older Data Access Application Block and newer Enterprise Library Application Blocks use parameterized queries, too.
Written By David Hayden ( Website / Blog )