Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

ASP.NET Security: 8 Ways to Avoid Attack : Page 2

Adding security to Web apps may not be great fun but it doesn't have to hard. You can easily ensure your apps meet today's best practices by applying eight principles for secure Web development.


advertisement
Tip 2 —SQL Injection
SQL Injection is another well-known exploit that hackers love. But surprisingly there are still a lot of people who don't seem to care about this problem. An example will help illustrate its importance: Suppose I have a simple login form with fields for user name and password.

This is a very common function in Web applications. Most people (especially beginning database programmers) will write the functionality as shown:

Private Sub btnLogin_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) _ Handles btnLogin.Click SqlConnection1.Open() Dim str As String = "SELECT * FROM Users WHERE UserID='" _ & txtName.Text & "' AND Password='" & _ txtPassword.Text & "'" Dim comm As New SqlCommand(str, SqlConnection1) Dim reader As SqlDataReader = comm.ExecuteReader() If Not reader.HasRows Then _ Response.Write("Login failed. Please try again") While reader.Read() Response.Write("Hello " & reader("UserName")) End While End Sub

Figure 6. Not a Password. This form can allow manipulation your database using SQL keywords.
In this code, the developer simply gets whatever data the user has entered and uses them to formulate the SQL string. At a minimum the developer should also do an input validation; a good choice is to check the length of user-entered data to be sure it is not overly long.



But there's a far worse danger with such sloppy code. There are certain things that hackers can enter in the password field to query your database. For example, the 'password' shown in Figure 6 will display all user names in the database. This is definitely not something you want to support.

Another exploit the hacker can try is known as the SQL Union attack. The following text, entered as a string in either the user name or password text box will execute as shown in Figure 7, giving the hacker plenty of information about your server.

xyz' union select @@servername, @@servicename, @@version --

Figure 7. Secrets Unearthed. The user has used the log in form to successfully uncover information about SQL Server.
A much safer way to formulate your SQL string is to use the Parameters object in the SqlCommand object. The advantage to using this approach is that ADO.NET doesn't do the substitution; it passes the parameters to SQL Server where the substitution and validation occurs.

The following shows the updated login method:

Private Sub btnLogin_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) _ Handles btnsecureLogin.Click SqlConnection1.Open() Dim str As String = "SELECT * FROM Users WHERE " & _ "UserID=@userID AND Password=@password" Dim comm As New SqlCommand(str, SqlConnection1) comm.Parameters.Add("@userID", txtName.Text) comm.Parameters.Add("@password", txtPassword.Text) Dim reader As SqlDataReader = comm.ExecuteReader() If Not reader.HasRows Then _ Response.Write("Login failed. Please try again") While reader.Read() Response.Write("Hello " & reader("UserName")) End While End Sub

Tip 3—Validate your User Inputs
Validate your user inputs religiously. The rule of thumb here is to assume the worst about your end users. They are bound to enter inputs that are totally unexpected. Be sure to check for illegal characters and limit the amount of data they can enter. ASP.NET ships with a couple of validation controls: make full use of them, both at the client side and server side.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date