0

I had developed a website (in asp.net), and it has a registration page(not signup, but it receives people details), that is actually an educational organisation's site, and the registration form is meant for people who want to register for workshops organised by the organisation.

Now coming to the point, I was checking the database's registration table (Database is in MS Access), and found multiple rows having data like:

//In Residential Address field
[url=http://paydayloansonline25.com]payday loans online[/url] pay loans direct student loans [url=http://paydayloansonline25.com]get loan online payday[/url] cash fast without bank account http://paydayloansonline25.com small business loans fast cash

//In Field to store workshop id, for which the person want to register for, the data was
document.getElementById(varIDCtrlName).value;

I am sure it was a possible SQL Injection attack, but not sure, what the hacker would have tried to do, and if he was successful - then what he would have collected. Please also mention, how do I handle it.

For more information:

I have not added the parameters like

EnableEventValidation="false" ValidateRequest="false"

In the page directive of aspx page, to which I guess was true by default, and while it is true, helps this type of possible attacks. And another thing worth mentioning, is that my OleDbCommand's parameters are written like

cmd.Parameters.AddWithValue("@ResiAddress", strResiAddress);
Cyberpks
  • 1,401
  • 6
  • 21
  • 51
  • SQL injection is when users add SQL code in (form) fields to get/manipulate other data in your database that was not intended to be received/edited. This seems like a 'simple' spam entry, however you should be sure not to parse and execute javascript when displaying this item. – rickvdbosch Jan 09 '13 at 07:04

2 Answers2

3

That is Cross-site scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users.

In your case the attacker is expecting you to display those fields on your web pages some where, and since they are HTML/Javascript, they will be displayed in the browser in the manner the attacker wants.

Habib
  • 219,104
  • 29
  • 407
  • 436
  • 1
    Although if the data is used/escaped appropriately - i.e. "HTML encoded" - then that would be thwarted.. –  Jan 09 '13 at 07:05
  • @pst: Wouldn't the data be shown as part of the page after html encoding? i.e. how will html encode remove "payday loan" thing. I agree that the link will be escaped. – shahkalpesh Jan 09 '13 at 07:18
  • @shahkalpesh It might be the most pleasant user experience to see the ads, but as long as a script or another XSS vector can't be triggered, then it's still "safe". Of course, if the injected markup could be used as a Social Engineering - e.g. phishing - vector .. then that could be counter-argued as not being safe. Presumably there is a markup processor to turn the `[stuff]` into *valid and "safe"* HTML output. Handling SPAM is another issue .. –  Jan 09 '13 at 07:20
  • Well, in my case the data is no-where HTMLEncoded or Decoded and any kind of markup processing like @pst mentioned isn't there. But, can you please explain what did the attacker tried to do, with that XSS thing, as in this case the data is not accessible by anyone other that the admin himself, but still I need to know so as to avoid same things in future. – Cyberpks Jan 09 '13 at 07:26
  • @Cyberpks, The attacker probably assumed that the information being entered in the fields will be displayed on your website somewhere. If this information from this table is not shown anywhere on your website, then this script/html will not be used. – Habib Jan 09 '13 at 07:45
  • @Habib, I'd like to ask you if adding the data as parameterised query is enough for solving the issue, in case I'd like to show the data somewhere like you mentioned. And it also means that in the admin screen where the whole data is visible, the thing should work as the attacker assumed. – Cyberpks Jan 09 '13 at 07:50
  • @Cyberpks, parameterized queries will prevent you from possible SQL injection, It will not prevent you from XSS. HTML encoding is one way to deal with the XSS. You may also see: http://stackoverflow.com/questions/205923/best-way-to-handle-security-and-avoid-xss-with-user-entered-urls – Habib Jan 09 '13 at 07:54
  • @Habib, thanks a lot friend. You really helped a lot ``:) – Cyberpks Jan 09 '13 at 08:03
0

It's not a SQLi attack - there is no SQL commands in the data.

However document.getElementById(varIDCtrlName).value;, it is valid javascript code so it looks like some kind of scripting attack. That javascript is innocent, but if an attacker can enter data in a field that is later run as a script it is a severe security threat.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217