So I recently inherited some additional sites to manage. Unfortunately some of them were running Classic ASP via IIS5 with a back-end Access (aaargh!) database.
Still, I really wasn’t too concerned about anything other than the age of the server and software. After searching Secunia there’s only one known vulnerability (hack to bypass logging).
But, since this was inherited code I’d better follow up with some due diligence so I fired up Acunetix (there’s a free version too) and ran a scan against all forms on the new sites.
Immediately during my scanning multiple cross-site scripting alerts went up. After a quick stroll through the database I found script tags the security tool had injected into the database.
Holy cow!
Busting out Notepad++ I started going through the code and I start discovering stuff like this (and I’m spit-balling here):
Sql = “INSERT INTO tblForms (name, address, phone) VALUES (‘”+var1+”,”+var2+”,”+var3+”‘)”;
With Var1, Var2, and Var3 having no sanitation whatsoever!
Not even a Server.HtmlEncode call on the variables (converting the script tags to HTML entities in an attempt to be safer).
The SQL injection potential was obvious by the code as well.
So I dusted off my old ASP reference and (of course) added the proper sanitation.
But that raised the question: “Why is this a recurring theme with web-based forms?”
It was obvious whomever made this had no clue how to clean the data going to the back-end, or that it was even a concern. Couple this with the common theme of “it’s just a form, you can throw it together in 5 min” and it’s a recipe for trouble evidenced by all the SQL Injection hacks of late.
So here’s my advice (for what it’s worth):
- Wash your forms. Give them a 3 look rule, try to break them, see if you can dump garbage in them.
- Do regular security audits on forms (especially ones you change or inherit)
- Sanitize in the database too (for example: use type-safe parameters instead of a dynamic SQL string).
- Monitor your server. This is actually your best defense against known (or unknown) attacks.
- Last of all don’t let users pressure you into whipping forms out in 5 minutes (unless you’re really sure of what you’re doing).