-2

I hope you can help.

I need to update a very old website that is using classic ASP code and inline sql queries. There’s a lot of bad practice going on but I need to quickly protect the site as best I can while we have the resources to update the site and move it over to a more secure environment.

Basically, what I need is a regular expression or function that will blacklist all of the usual suspects (ie words and characters) that are used as SQL injection. I fully appreciate that there is no concrete way to totally protect the site against SQL injection by using a blacklist (or whitelist). However, I just need to buy myself a little time while I figure everything out, and have the time, to update the entire scripting.

Unfortunately, I’m not that great on classic asp coding but what I have found so far are these three functions:

------------FUNCTION 1--------------

function SQLInject(strWords) 
dim badChars, newChars, i
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_") 
newChars = strWords 
for i = 0 to uBound(badChars) 
newChars = replace(newChars, badChars(i), "") 
next 
newChars = newChars 
newChars= replace(newChars, "'", "''")
newChars= replace(newChars, " ", "")
newChars= replace(newChars, "'", "|")
newChars= replace(newChars, "|", "''")
newChars= replace(newChars, "\""", "|")
newChars= replace(newChars, "|", "''")
SQLInject=newChars
end function

------------FUNCTION 1--------------

------------FUNCTION 2--------------

function SQLInject2(strWords)
dim badChars, newChars, tmpChars, regEx, i
badChars = array( _
"select(.*)(from|with|by){1}", "insert(.*)(into|values){1}", "update(.*)set", "delete(.*)(from|with){1}", _
"drop(.*)(from|aggre|role|assem|key|cert|cont|credential|data|endpoint|event|f ulltext|function|index|login|type|schema|procedure|que|remote|role|route|sign| stat|syno|table|trigger|user|view|xml){1}", _
"alter(.*)(application|assem|key|author|cert|credential|data|endpoint|fulltext |function|index|login|type|schema|procedure|que|remote|role|route|serv|table|u ser|view|xml){1}", _
"xp_", "sp_", "restore\s", "grant\s", "revoke\s", _
"dbcc", "dump", "use\s", "set\s", "truncate\s", "backup\s", _
"load\s", "save\s", "shutdown", "cast(.*)\(", "convert(.*)\(", "execute\s", _
"updatetext", "writetext", "reconfigure", _
"/\*", "\*/", ";", "\-\-", "\[", "\]", "char(.*)\(", "nchar(.*)\(") 
newChars = strWords
for i = 0 to uBound(badChars)
Set regEx = New RegExp
regEx.Pattern = badChars(i)
regEx.IgnoreCase = True
regEx.Global = True
newChars = regEx.Replace(newChars, "")
Set regEx = nothing
next
newChars = replace(newChars, "'", "''")
SqlInject2 = newChars
end function

------------FUNCTION 2--------------

------------FUNCTION 3--------------

Function isURL(strURL)

Dim Slug, re, re2

'Everything to lower case
Slug = lcase(strURL)

' Replace - with empty space
Slug = Replace(Slug, "-", " ")

' Replace unwanted characters with space
Set re = New RegExp
re.Pattern = "[^a-z0-9\s-]"
re.Global = True
Slug = re.Replace(Slug, " ")

' Replace multple white spaces with single space
Set re2 = New RegExp
re2.Pattern = "\s+"
re2.Global = True
Slug = re2.Replace(Slug, " ")

Slug = Trim(Slug)

' Replace white space with -
Slug = Replace(Slug," ", "-")

isURL = Slug

End Function

------------FUNCTION 3--------------

Can anyone let me know if the above is any good and if so which one is the best one? If not, can anyone suggest a sample script I can use just to get by for the moment? Any help would be fully appreciated.

Best regards

Rod from the UK

user3185300
  • 7
  • 1
  • The simplest way to prevent SQL Injection in Classic ASP is to use the `ADODB.Command` object to build [parameterised queries](https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/). Here's just one [example](https://stackoverflow.com/a/22037613/692942) but there are many more on [so] – user692942 Nov 22 '17 at 23:06
  • Yet another one - https://stackoverflow.com/a/20702205/692942 – user692942 Nov 22 '17 at 23:18
  • Much appreciated! – user3185300 Nov 28 '17 at 17:45

3 Answers3

4

Read about parameterised queries https://vikaskanani.wordpress.com/2012/05/07/classic-asp-sql-injection-prevention-by-using-query-parameter/

pee2pee
  • 3,619
  • 7
  • 52
  • 133
0

Above Functions On the surface, any/all of those should work. (Not having tested them myself.)

I would suggest that you take the time to test them.

Whatever you do, there'll be something that you will have to adjust later on. The bad guys are very creative.

Also, while it may seem like a good idea to run all the functions through a parent function that calls the three above, you may find that you take a performance hit - depending on how many times they're all run.

Alternate Have you considered replicating something like PHP's AddSlashes() function? That should break some of the SQL insertion attempts. You could customise it to target extra things that don't technically need \'s, but would neuter the SQL injection.

If you don't want to mess about with ASP classic & Regex, you could achieve this with a few simple replace(input,"'","\'") style lines.

Mark
  • 347
  • 4
  • 18
-1

You're basically trying to invent your own Web Application Firewall. This is a huge, complex task, and hard to get right unless you are a security expert.

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview

I would recommend you skip this step. I don't think you will "buy yourself time"—you will just delay fixing your code properly by using SQL query parameters.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828