Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Web Forms filtered with SQL constraints

from [tie] Network Security [Permanent Link]
Subject: Re: Web Forms filtered with SQL constraints
Date: Wed, 06 Oct 2004 12:44:16 +0300 
Hi Bénoni,

Getting the source of your JavaScript code is always possible - no matter what tricks you apply. Denying right-click, hover over or whatever else you can think of will not save your code from prying eyes. After all , the code is transmitted in clear text between you and the server . You can use many applications (apart from browsers) to get the source - see Achilles for example. Hiding your JavaScript sources however, should not be your concern.

JavaScript is a CLIENT-side scripting language. It is getting interpreted on the CLIENT side. And client=attacker. The attacker has full control on any code that is executed on his PC. So, the attacker can easily just skip your JavaScript checks and here you are with unverified input. You don't need to see/analyze the validation checks when you can just skip them :)

You cannot provide security through JavaScript. It is only used to provide convenience to your 'legal' visitors. Your server-side .ASP scripts should NEVER rely on client-side input validation. Big No-No here.

Instead, you should verify the input inside your .ASP scripts, on the server side. Validate them, as there is no client-side checking at all - there is really none, from the attacker's point of view.

Regards,
tie

Bénoni MARTIN wrote:

Hi list !

I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) 
formulaires people have to fill in. To avoid SQ injection attacks and other 
tricks, I have set up some Jscript filtering on each field (i.e. for instance a 
name can just be alphabet's characters and no figures :) ), and I am planning 
to do the same on my Database (setting up constraints).


But I have 2 questions:
        - How can I hide my Jscript filtering from the user ? When I want to see the 
source, everything is diaplayed, quite normal :( ... Maybe it's not so good to tell 
people what I have done to filter them :) I saw some sites where it is impossible to see 
the source, impossible to "hoover the site", impossible even to print ... But I 
have not been able to find on the net how to do this :(

        - How can I deal with possible SQL errors within an ASP page ? I mean, if a field 
has been filled in, bypass my Jscript filtering (no matter how), and gets to the database 
but is then "stopped" by an SQL onstraint, how do I raise this error on an ASP 
page without diplaying an explicit error (giving the user the name of my database for 
instance) ?

Cheers for any clue, I am lost on this topic :(






[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Fwd: Re: new opensource security system product launched], arun balaji
Next by Date:  Re: Auditing user session activity, tie
Previous by Thread:  Re: Web Forms filtered with SQL constraints, Saphyr
Next by Thread:  Re: Web Forms filtered with SQL constraints, Steven Boone
Indexes:  [Date] [Thread] [Top] [All Lists]