Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Web Forms filtered with SQL constraints

from [Bénoni MARTIN] Network Security [Permanent Link]
Subject: RE: Web Forms filtered with SQL constraints
Date: Wed, 13 Oct 2004 12:11:27 +0100 
Maybe he was talking about obfuscating code souce and not hiding it :) This can 
make it more tough to interpret, but as you said, if your browser understands 
it, you should be able to understand ...

But obfuscating should dishearten some people, this is better than nothing :)
 

-----Message d'origine-----
De : Michael Silk [mailto:michaels@phg.com.au] 
Envoyé : mercredi 13 octobre 2004 01:09
À : Dr Death; webappsec@securityfocus.com
Objet : RE: Web Forms filtered with SQL constraints

No you don't ... Nothing can hide the source of the page, other then not 
printing it in the first place. If the browser displays the user can see it. 
-----Original Message-----
From: Dr Death [mailto:drdeath4ever@hotmail.com]
Sent: Sunday, 10 October 2004 2:55 PM
To: webappsec@securityfocus.com
Subject: RE: Web Forms filtered with SQL constraints

i have some scripts that hid your page source.

Dr.Death


From: Bénoni MARTIN <Benoni.MARTIN@libertis.ga>
To: "RSnake" <rsnake@shocking.com>, <webappsec@securityfocus.com>
Subject: RE: Web Forms filtered with SQL constraints
Date: Fri, 8 Oct 2004 17:09:21 +0100

Hi !

Thanks for the reply, it's as I was thinking about ! I went on the web 
to get some more infos about that, and I found this article:
http://www.developerfusion.com/show/4325/

So some tell this is a good idea, others say it's not, so I am lost :(
:)


-----Message d'origine-----
De : RSnake [mailto:rsnake@shocking.com] Envoyé : vendredi 8 octobre
2004 01:42 À : webappsec@securityfocus.com Cc : Bénoni MARTIN Objet : 

Re: Web Forms filtered with SQL constraints



      Nothing you do at the client side can be hidden.  I can write a
      client that downloads the source, or watch it via a proxy, or
      look at the cache, etc....  don't even bother trying.  You
      should consider anything client side as protection from
      inadvertant mistakes by users only, and you should always have a
      fall back filter in place to catch the errors before they do any
      damage.

On Wed, 6 Oct 2004, Ian wrote:

| Date: Wed, 06 Oct 2004 09:52:03 +0100
| From: Ian <webappsec2@fishnet.co.uk>
| Reply-To: webappsec@securityfocus.com
| To: "[ISO-8859-1] Bénoni MARTIN" <Benoni.MARTIN@libertis.ga>,
|     webappsec@securityfocus.com
| Subject: Re: Web Forms filtered with SQL constraints
|
| On 5 Oct 2004 at 13:25, Bénoni MARTIN wrote:
|
| > Hi list !
| >
| > I was wondering how to solve the 2 following problems: I have ASP 
| > (not
| > ASP.NET) formulaires people have to fill in. To avoid SQ injection 
| > attacks and other tricks, I have set up some Jscript filtering on 
| > each
field (i.e.
| > for instance a name can just be alphabet's characters and no 
| > figures
| > :) ), and I am planning to do the same on my Database (setting up
constraints).
| >
| >
| > But I have 2 questions:    - How can I hide my Jscript filtering from the
| > user ? When I want to see the source, everything is diaplayed, 
| > quite normal :( ... Maybe it's not so good to tell people what I 
| > have done to filter them :) I saw some sites where it is impossible 
| > to see the source, impossible to "hoover the site", impossible even 
| > to print ... But I have not been able to find on the net how to do 
| > this :(
| >
| >    - How can I deal with possible SQL errors within an ASP page ? I 
| > mean, if a field has been filled in, bypass my Jscript filtering 
| > (no matter how), and gets to the database but is then "stopped" by 
| > an SQL onstraint, how do I raise this error on an ASP page without 
| > diplaying an explicit error (giving the user the name of my 
| > database
for instance) ?
| >
| > Cheers for any clue, I am lost on this topic :(
|
| Hi,
|
| Using classic ASP with vbscript you would add this to the top of the
page:
|
| <% on error resume next %>
|
| Then after every SQL query:
|
| <%
| if err then
|      Response.write "There was a database error"
|      ' Log to error to file
| end if
| %>
|
| I think the equivalent in JScript is the Try, Catch, Finally:
|
| http://msdn.microsoft.com/library/default.asp?url=/library/en-
| us/script56/html/js56jslrfjscripterrorstoc.asp
|
| Hope this helps
|
| Ian
| --
|
|
|
|
|

-R

The information in this email is confidential and may be legally 
privileged.  It is intended solely for the addressee.  Access to this 
email by anyone else is unauthorized.  If you are not the intended 
recipient, any disclosure, copying, distribution or any action taken or 
omitted to be taken in reliance on it is expressly prohibited and may be 
unlawful.








This email message and accompanying data may contain information that is 
confidential and/or subject to legal privilege. If you are not the intended 
recipient, you are notified that any use, dissemination, distribution or 
copying of this message or data is prohibited. If you have received this email 
message in error, please notify us immediately and erase all copies of this 
message and attachments.

This email is for your convenience only, you should not rely on any information 
contained herein for contractual or legal purposes. You should only rely on 
information and/or instructions in writing and on company letterhead signed by 
authorised persons.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Web Forms filtered with SQL constraints, Emil Filipov
Next by Date:  Technical Note: Detecting and Testing HTTP Response Splitting Using a Browser, Amit Klein (AKsecurity)
Previous by Thread:  RE: Web Forms filtered with SQL constraints, Michael Silk
Next by Thread:  Re: Web Forms filtered with SQL constraints, saphyr
Indexes:  [Date] [Thread] [Top] [All Lists]