Filter user input in ASP to improve security

Security is very important for all applications. A mistake in a simple application may result in unauthorized access to databases or other enterprise resources. Therefore, security is particularly important. A common attack method is to embed commands into users' responses, and filter out these illegal characters from user input to prevent such attacks.

 
Allow users to enter invalid characters to increase the chance of problems caused by users. For example, many applications can accept the WHERE clause added to SQL commands. Malicious users execute code on the database server by adding additional commands to the information they enter. For example, instead of entering "Smith" as the search string, they enter "Smith"; Exec master.. xp_mongoshell "dir *. EXE ".

The following code is designed to process multiple recordsets returned from the server. User input contains an additional, unexpected execution command. When the nextrecordset method is called, the hidden malicious code is executed.

This attack can be avoided by filtering out illegal characters (in the Comment Segment) in user input information. After this is done, user input is still allowed to be processed, but all invalid characters are cleared.

Dim rst as recordset
Dim rst2 as recordset
Dim struserinput as string

Struserinput = "Smith '; Exec master .. xp_mongoshell 'dir *. EXE"

'Filter input for invalid characters
Struserinput = Replace (struserinput, "<", vbnullstring)
Struserinput = Replace (struserinput, ">", vbnullstring)
Struserinput = Replace (struserinput, ", vbnullstring)
Struserinput = Replace (struserinput, "'", vbnullstring)
Struserinput = Replace (struserinput, "%", vbnullstring)
Struserinput = Replace (struserinput, ";", vbnullstring)
Struserinput = Replace (struserinput, "(", vbnullstring)
Struserinput = Replace (struserinput, ")", vbnullstring)
Struserinput = Replace (struserinput, "&", vbnullstring)
Struserinput = Replace (struserinput, "+", vbnullstring)
Struserinput = Replace (struserinput, "-", vbnullstring)

Set rst = new recordset
RST. activeconnection = "provider = sqloledb; Data Source = sqlserver ;"&_
"Initial catalog = pubs; Integrated Security = sspi"
RST. Open "select * from authors where au_lname = '" & struserinput &_
"'", Adopenstatic
'Do something with recordset 1

Set rst2 = RST. nextrecordset ()
'Do something with recordset 2

Embedding commands in user input is also a common method to attack ASP Web applications, also known as cross-site scripting attacks. Filtering the input content and using the server. htmlencode and server. urlencode methods will help prevent such problems in your ASP application.