Cross Site Scripting (XSS) Attacks, SQL Injection and ASP.NET

“The biggest challenge to developing secure applications is that most programmers don’t know they’re writing insecure applications. Let’s look at a simple example, a forum-type application. However, any application that displays data entered by a user is a potential target.“ –Brad McCabe, XSS Happens


For an introduction to securing ASP.NET sites, check out Dino Esposito’s article “Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks“.



Dino summarizes the most common types of Web attacks and describes how Web developers can use built-in features of ASP.NET to increase security.


Perhaps one of the most dangerous and overlooked attacks is the SQL Injection attack.  It’s very easy to overlook how an attacker can exploit seemingly harmless SQL code, especially if a developer’s experience and understanding of SQL is less than expert.  There are a number of articles available, including:



Stop SQL Injection Attacks Before They Stop You (MSDN Magazine, Sep 2004)
source: http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx
This article discusses:



  • How SQL injection attacks work
  • Testing for vulnerabilities
  • Validating user input
  • Using .NET features to prevent attacks
  • Importance of handling exceptions




Preventing SQL Injection Attacks
source: http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx


Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.


Are you still vulnerable to a SQL Injection attack?
source: http://www.spidynamics.com/whitepapers.html


SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems!
Despite being remarkably simple to protect against, there are an astonishing number of production systems connected to the Internet “fixed” the problem by hiding error data from the users but were left vulnerable to this type of attack!


Advanced SQL Injection In SQL Server Applications
source: http://www.nextgenss.com/papers/advanced_sql_injection.pdf


This document discusses in detail the common ‘SQL injection’ technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be ‘injected’ into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.


(more) Advanced SQL Injection
source: http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf


This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. It should be viewed as a “follow up”, or perhaps an appendix, to the previous paper, “Advanced SQL Injection”.


The paper covers in more detail some of the points described in its predecessor, providing examples to clarify areas where the previous paper was perhaps unclear. An effective method for privilege escalation is described that makes use of the openrowset function to scan a network. A novel method for extracting information in the absence of ‘helpful’ error messages is described; the use of time delays as a transmission channel. Finally, a number of miscellaneous observations and useful hints are provided, collated from responses to the original paper, and various conversations around the subject of SQL injection in a SQL Server environment.  


One method to prevent SQL injection attacks is to use parameterized SQL queries.  This technique can be used for Access as well as SQL Server, and any other DB system that supports parameterized queries.  The example below demonstrates .NET with SQL Server, but the underlying examples should be easily adapatbale to whatever system you’re using.



Using parameterized SQL queries
source: http://www.uberasp.net/getarticle.aspx?id=46


Save yourself from SQL injection attacks and other nasty problems by passing along data in parameters.


The Curse and Blessing of Dynamic SQL
source: http://www.sommarskog.se/dynamic_sql.html


In this article I will discuss the of use dynamic SQL in stored procedures in MS SQL Server, and I will show that this is a powerful feature that you should use with care. I first discuss why we use stored procedures at all, before I explain the feature as such. I then look at the conflicts between the virtues of stored procedures and the effects of dynamic SQL. I also point to the common security issue known as SQL injection. I then move on to suggest some good coding practices. I conclude by reviewing a number of cases where dynamic SQL often is suggested as a solution, both where dynamic SQL is the way to go, and where it is a poor choice. For the latter cases, I suggest alternative strategies.


Dynamic Search Conditions in T-SQL
source: http://www.sommarskog.se/dyn-search.html


This article details the ways to use dynamic SQL in a stored procedure for searching Sql Server databases.  Written by a Microsoft MVP, there are a few topics that will be over the head of beginnning SQL programmers, but this is still an important read.  This is a follow-up to “The Curse and Blessing of Dynamic SQL“.


It is important to have a full understanding of all the risks that your web application faces.  For this, Microsoft has released a guide for developers and administrators.  You can purchase the guide from Amazon by clicking the links below, or click this link to download for free from Microsoft.













cover Improving Web Application Security: Threats And Countermeasures
This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
cover Web Applications (Hacking Exposed)
This work covers all major Web applications platforms and focuses on vulnerabilities across different programming languages, including PHP, ASP, Perl, JavaScript and Java. It includes examples of security attacks and countermeasures in Web application software.
cover Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition (Hacking Exposed)
This text unveils the methods hackers use to break into systems, networks, and software, and suggest steps administrators can take to secure their computers at the different layers. The fourth edition covers the latest hacking methods and adds a chapter on 802.11 wireless networks. The DVD-ROM contains a video presentation with PowerPoint slides.