RE: Web Forms filtered with SQL constraints

["Michael Silk" <michaels () phg com au>]

Hi Tarun,

        Of course, the user can force his HTTP_REFERER to be any page he likes, so checking it is all but useless.

        And to the original question, it is possible to have your server redirect to a standard error page when an 
error occurs, it's trivial to find out how, google can help ... Something like "redirect on error + asp".

-- Michael 

-----Original Message-----
From: yahoouec () iitr ernet in [mailto:yahoouec () iitr ernet in] 
Sent: Saturday, 9 October 2004 2:30 PM
To: Matt Fisher
Cc: webappsec () securityfocus com; Benoni.MARTIN () libertis ga
Subject: Re: Web Forms filtered with SQL constraints

You need to perform validation on server otherwise the *wrong* user may

1. Disable javascript.This can be avoided by first finding wheather user
   has enabled/disabled javascript.

2. Make his own local page without javascript (but javascript enabled)    and then submit the form to your server. This 
can also be disabled by you, by first checking HTTP_REFERER value.

3. Finally the *wrong* user may just use any HTTP spoofer available or
   do telnet at port 80, which you cannot stop.

Also viewing the javascript source code cannot be disabled ( If this had been possible then Internet Explorer wont be 
able to display the page
ever)

Moreover,the applications you are talking about are JAVASCRIPT based which executes on client side and can be disabled 
etc.

So its better to do all validation at server side.

bye
TARUN BANSAL




Perform good strong validation on the *server*, as everyone else has said
> ,
> but also use parameterized queries.  I believe "plain old" ADO (vs
> ado.net)
> supports them, though most of the time they're mentioned as  a "new" 
> (?) feature of ado.net.  You'll get a performance increase as well.
>
>
>
> -----------------------------------------
> Rage-Quote:heads%20bobbin'%20to%20the%20funk%20outya speaker
>
>
> ----- Original Message -----
> From: "Bénoni MARTIN" <Benoni.MARTIN () libertis ga>
> To: <webappsec () securityfocus com>
> Sent: Tuesday, October 05, 2004 8:25 AM
> Subject: Web Forms filtered with SQL constraints
>
>
> Hi list !
>
> I was wondering how to solve the 2 following problems: I have ASP (not
> ASP.NET) formulaires people have to fill in. To avoid SQ injection 
> attacks and other tricks, I have set up some Jscript filtering on each field (i.e.
> for instance a name can just be alphabet's characters and no figures 
> :) ), and I am planning to do the same on my Database (setting up constraints).
>
>
> But I have 2 questions:
> - How can I hide my Jscript filtering from the user ? When I want to 
> see the source, everything is diaplayed, quite normal :( ... Maybe 
> it's not so good to tell people what I have done to filter them :) I 
> saw some sites where it is impossible to see the source, impossible to 
> "hoover the site", impossible even to print ... But I have not been 
> able to find on the net how to do this :(
>
> - How can I deal with possible SQL errors within an ASP page ? I mean, 
> if a field has been filled in, bypass my Jscript filtering (no matter 
> how), and gets to the database but is then "stopped" by an SQL 
> onstraint, how do I raise this error on an ASP page without diplaying 
> an explicit error (giving the user the name of my database for 
> instance) ?
>
> Cheers for any clue, I am lost on this topic :(



This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.