Cross site scripting issue

Question

erioch 0 Light Poster

13 Years Ago

Hi all,

I have this code for registration page, I have run some diagnostic tests and found that it is valnurable for Cross site scripting, any help??? or sugestion???

I have attached a copy of the report. Other pages had valnurabilities but very low....

I am not good at asp as such...

<!--#include file="include/dbcommon.asp"-->
<!--#include file="include/md5.asp"-->
<!--#include file="libs/xtempl.asp"-->
<%
if SESSION("count_captcha")="" or SESSION("count_captcha")>5 then SESSION("count_captcha")=0

dim xt
set xt = new XTempl
cEmailField = "Email (Habitat mail)"
reminded=false
strSearchBy="username"

strUsername=""
strEmail=""
strMessage=""

dbConnection=""
db_connect()
DoEvent "BeforeProcessRemind dbConnection"

if request.form("btnSubmit") = "Remind" then
	strSearchBy=request.Form("searchby")
	strUsername=request.Form("username")
	strEmail=request.Form("email")
   	Set rstemp = server.CreateObject("ADODB.Recordset")
   	Set rs = server.CreateObject("ADODB.Recordset")
	
	rstemp.open "select * from [Staff Details] where 1=0",dbConnection,1,2

	tosearch=false
	if strSearchBy<>"email" then
		value=strUsername
		if cstr(value)<>"" then tosearch=true
		if FieldNeedQuotes(rstemp,cUserNameField) then 
			value="'" & db_addslashes(value) & "'"
		else
			value=my_numeric(value)
		end if
		sWhere=AddFieldWrappers(cUserNameField) & "=" & value
	else
		value=strEmail
		if cstr(value)<>"" then tosearch=true
		if FieldNeedQuotes(rstemp,cEmailField) then
			value="'" & db_addslashes(value) & "'"
		else
			value=my_numeric(value)
		end if
		sWhere=AddFieldWrappers(cEmailField) & "=" & value
	end if
	
	if tosearch then DoEvent "tosearch = BeforeRemindPassword(strUsername,strEmail)"
	

	if tosearch then

		strSQL="select " & AddFieldWrappers(cUserNameField) & "," & AddFieldWrappers(cPasswordField) & "," & AddFieldWrappers(cEmailField) & " from [Staff Details] where " & sWhere
		rs.Open strSQL,dbConnection,1,2
		if not rs.EOF then
			password=rs(1)
'//	generate 6 letters length password
			password=""
			randomize
			for ind=0 to 5
				j=rnd(35)
				if j<26 then
					password=password & chr(asc("a")+j)
				else
					password=password & chr(asc("0")-26+j)
				end if
			next
			dbConnection.Execute "update [Staff Details] set " & AddFieldWrappers(cPasswordField) & "='" & md5(password) & "' where " & sWhere
			url = "http://" & request.ServerVariables("SERVER_NAME")
			if CStr(request.ServerVariables("SERVER_PORT"))<>"80" then _
				url = url & ":" & request.ServerVariables("SERVER_PORT")
			url= url & request.ServerVariables("SCRIPT_NAME")
			message="Password reminder" & vbcrlf
			message=message & "You asked to remind your username and password at" & " " & url & vbcrlf
			message=message & "Username" & " " & rs(0) & vbcrlf
			message=message & "Password" & " " & password & vbcrlf
			sendmail rs(2),"Password reminder",message
			reminded=true
			DoEvent "AfterRemindPassword strUsername,strEmail"
			loginlink_attrs="href=""login.asp"
			if strSearchBy<>"email" then loginlink_attrs=loginlink_attrs & "?username=" & server.HTMLEncode(strUsername)
			loginlink_attrs=loginlink_attrs & """"
			xt.assign "loginlink_attrs",loginlink_attrs
			xt.assign "body",true
			SESSION("count_captcha")=SESSION("count_captcha")+1
			xt.display("remind_success.htm")
			response.End
		end if
	end if
	if not reminded then
		if strSearchBy<>"email" then
			strMessage="User" & " <i>" & strUsername & "</i> " & "is not registered."
		else
			strMessage="This email doesn't exist in our database"
		end if
	end if
	
end if

emailradio_attrs="onclick=""document.forms.form1.searchby.value='email'; UpdateControls();"""
usernameradio_attrs="onclick=""document.forms.form1.searchby.value='username'; UpdateControls();"""

if strSearchBy="username" then
	usernameradio_attrs=usernameradio_attrs & " checked"
	search_disabled = "email"
else
	emailradio_attrs=emailradio_attrs & " checked"
	search_disabled = "username"
end if

xt.assign "emailradio_attrs",emailradio_attrs
xt.assign "usernameradio_attrs",usernameradio_attrs

xt.assign "username_attrs","value=""" & my_htmlspecialchars(strUsername) & """"
xt.assign "email_attrs","value=""" & my_htmlspecialchars(strEmail) & """"
if strMessage<>"" then
	xt.assign "message",strMessage
	xt.assign "message_block",true
	if captcha=1 then SESSION("count_captcha")=SESSION("count_captcha")+1
end if

set body=CreateObject("Scripting.Dictionary")
str="<script language = JavaScript>"
str=str & "function OnKeyDown(){"
str=str & "e = window.event;"
str=str & "if (e.keyCode == 13){"
str=str & "e.cancel = true;"
str=str & "document.forms[0].submit();}}"
str=str & "function UpdateControls(){"
str=str & "if (document.forms.form1.searchby.value==""username""){"
str=str & "document.forms.form1.username.style.backgroundColor='white';"
str=str & "document.forms.form1.email.style.backgroundColor='gainsboro';"
str=str & "document.forms.form1.username.disabled=false;"
str=str & "document.forms.form1.email.disabled=true;}else{"
str=str & "document.forms.form1.username.style.backgroundColor='gainsboro';"
str=str & "document.forms.form1.email.style.backgroundColor='white';"
str=str & "document.forms.form1.username.disabled=true;"
str=str & "document.forms.form1.email.disabled=false;}}</script>"
str=str & "<form method=post action=""remind.asp"" id=form1 name=form1>"
str=str & "<input type=hidden name=btnSubmit value=""Remind"">"
str=str & "<input type=""Hidden"" name=""searchby"" value=""" & strSearchBy & """>"
body("begin")=str
body("end")="</form><script language=""JavaScript"">document.forms.form1." & search_disabled & ".disabled=true;	UpdateControls();</script>"
xt.assign "body",body


templatefile = "remind.htm"
DoEvent "BeforeShowRemindPwd xt,templatefile"
xt.display(templatefile)
%>

asp

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with pdf files.

Acunetix_Web_Vulnerability1.pdf (192.55 KB)

3 Contributors
5 Replies
409 Views
1 Week Discussion Span
Latest Post 13 Years Ago Latest Post by reygcalantaol

reygcalantaol 0 WordPress Developer

13 Years Ago

You may also use parameterize query to prevent SQL injection.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

ArtistScope -5 Junior Poster · Answer 1 · 2011-03-19T13:49:12+00:00

The error report may be concerned about the lack of filtering on the data accepted in your request fields... there is currently no filtering which leaves you open for a SQL Attack which can either crash your database/site or be used to throw up information that can further help a hack attempt.

Btw is the password encrypted and decrypted for the password remind function? If not it should be, and the password input field should be set to as a password field, ie" only showing *****.

Also note that the following code is no longer WC3 compliant...

<script language = JavaScript>

Today it should be...

<script type="text/javascript">

You can use a basic replace function for a filter that is most effective...

Dim strInputCom
Private Function cleanName(ByVal strInputCom)
	strInputCom = Replace(strInputCom, "xp_", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "sp_oa", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, ".shell", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "filesystemobject", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "createobject", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "sp_who", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "sp_password", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "sp_ex", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "sysxlogins", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "create table", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "drop table", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "union all", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "sysobjects", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "is null", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "not null", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "non_existant_table", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "users", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "select all", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "all select", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "user_name", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "ascii", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "substring", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "uni/", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "unio/", "", 1, -1, 1)	
	strInputCom = Replace(strInputCom, "++", "&", 1, -1, 1)
	strInputCom = Replace(strInputCom, "1=1", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "*", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "^", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "~", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "$", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "+", " ", 1, -1, 1)
	strInputCom = Replace(strInputCom, "%", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, ", ", " ", 1, -1, 1)
	strInputCom = Replace(strInputCom, ",", "", 1, -1, 1)	
'	strInputCom = Replace(strInputCom, "_", " ", 1, -1, 1)
	strInputCom = Replace(strInputCom, Chr(10), "", 1, -1, 1)
	strInputCom = Replace(strInputCom, Chr(13), "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "<", "")
	strInputCom = Replace(strInputCom, ">", "")
	strInputCom = Replace(strInputCom, "[", "")
	strInputCom = Replace(strInputCom, "]", "")
	strInputCom = Replace(strInputCom, """", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "=", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "';", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "..", ".", 1, -1, 1)
	strInputCom = Replace(strInputCom, "'", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "!", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "@@", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "#", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "(", " ", 1, -1, 1)
	strInputCom = Replace(strInputCom, ")", " ", 1, -1, 1)
	strInputCom = Replace(strInputCom, "&", " and ", 1, -1, 1)
	strInputCom = Replace(strInputCom, "{", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "}", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "|", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, ";", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "\", "/", 1, -1, 1)
	strInputCom = Replace(strInputCom, "\\", "/", 1, -1, 1)
	strInputCom = Replace(strInputCom, "?", "", 1, -1, 1)
	strInputCom = Replace(strInputCom, "--", "-", 1, -1, 1)	
	cleanName = strInputCom
End Function

Then on your input fields you can use it like so...

strUsername = cleanName(request.Form("username"))

By the time their form data gets though this lot it will have its stingers removed :-)

erioch 0 Light Poster · Answer 2 · 2011-03-19T14:08:58+00:00

Hi Artistscope,

Thanks for your answer, now one quick question, how do I handle the strSearchBy=request.Form("searchby") since in the scan results, two main issue discovered were username and searchby or is it nor important?... And secondly, where do I place the "cleanName function"? should it be in the same ASP page or in an include such as the one below???

Thanks a lot....

Regards

Erick

<%@codepage=1252%>
<%

cCharset = "Windows-1252"

response.Charset=cCharset

dDebug=false
useAJAX=true
suggestAllContent=true

Session.LCID = 1033
session.codepage=1252

dSQL=""
bSubqueriesSupported=true

strDatabaseType = "ACCESS"

Set tables_data = CreateObject("Scripting.Dictionary")
Set field_labels = CreateObject("Scripting.Dictionary")

%>
<!--#include file="locale.asp"-->
<!--#include file="events.asp"-->
<!--#include file="commonfunctions.asp"-->
<!--#include file="dbconnection.asp"-->
<!--#include file="dal_source.asp"-->

<%
Const FORMAT_NONE					= ""
Const FORMAT_DATE_SHORT				= "Short Date"
Const FORMAT_DATE_LONG				= "Long Date"
Const FORMAT_DATE_TIME				= "Datetime"
Const FORMAT_TIME					= "Time"
Const FORMAT_CURRENCY				= "Currency"
Const FORMAT_PERCENT				= "Percent"
Const FORMAT_HYPERLINK				= "Hyperlink"
Const FORMAT_EMAILHYPERLINK			= "Email Hyperlink"
Const FORMAT_FILE_IMAGE				= "File-based Image"
Const FORMAT_DATABASE_IMAGE			= "Database Image"
Const FORMAT_DATABASE_FILE			= "Database File"
Const FORMAT_FILE					= "Document Download"
Const FORMAT_LOOKUP_WIZARD			= "Lookup wizard"
Const FORMAT_PHONE_NUMBER			= "Phone Number"
Const FORMAT_NUMBER					= "Number"
Const FORMAT_HTML					= "HTML"
Const FORMAT_CHECKBOX				= "Checkbox"
Const FORMAT_CUSTOM					= "Custom"

Const EDIT_FORMAT_NONE				= ""
Const EDIT_FORMAT_TEXT_FIELD		= "Text field"
Const EDIT_FORMAT_TEXT_AREA			= "Text area"
Const EDIT_FORMAT_PASSWORD			= "Password"
Const EDIT_FORMAT_DATE				= "Date"
Const EDIT_FORMAT_TIME				= "Time"
Const EDIT_FORMAT_RADIO				= "Radio button"
Const EDIT_FORMAT_CHECKBOX			= "Checkbox"
Const EDIT_FORMAT_DATABASE_IMAGE	= "Database image"
Const EDIT_FORMAT_DATABASE_FILE		= "Database file"
Const EDIT_FORMAT_FILE				= "Document upload"
Const EDIT_FORMAT_LOOKUP_WIZARD		= "Lookup wizard"
Const EDIT_FORMAT_HIDDEN			= "Hidden field"
Const EDIT_FORMAT_READONLY			= "Readonly"

Const EDIT_DATE_SIMPLE				= 0
Const EDIT_DATE_SIMPLE_DP			= 11
Const EDIT_DATE_DD					= 12
Const EDIT_DATE_DD_DP				= 13

Const MODE_ADD						= 0
Const MODE_EDIT						= 1
Const MODE_SEARCH					= 2
Const MODE_LIST						= 3
Const MODE_PRINT					= 4
Const MODE_VIEW						= 5
Const MODE_INLINE_ADD				= 6
Const MODE_INLINE_EDIT				= 7

Const LOGIN_HARDCODED				= 0
Const LOGIN_TABLE					= 1

Const ADVSECURITY_ALL				= 0
Const ADVSECURITY_VIEW_OWN			= 1
Const ADVSECURITY_EDIT_OWN			= 2
Const ADVSECURITY_NONE				= 3

Const ACCESS_LEVEL_ADMIN			= "Admin"
Const ACCESS_LEVEL_ADMINGROUP		= "AdminGroup"
Const ACCESS_LEVEL_USER				= "User"
Const ACCESS_LEVEL_GUEST			= "Guest"

Const DATABASE_MySQL				= "MYSQL"
Const DATABASE_Oracle				= "ORACLE"
Const DATABASE_MSSQLServer			= "MS SQL SERVER"
Const DATABASE_Access				= "ACCESS"

Const RTE_BASIC 				= "BASIC"
Const RTE_FCK 					= "FCK"
Const RTE_INNOVA				= "INNOVA"

Const ADD_SIMPLE  				= 0
Const ADD_INLINE 				= 1
Const ADD_ONTHEFLY 				= 2

Const LIST_SIMPLE               = 0
Const LIST_LOOKUP               = 1

Const LCT_DROPDOWN              = 0
Const LCT_AJAX                  = 1
Const LCT_LIST                  = 2

Const LT_LISTOFVALUES 	= 0
Const LT_LOOKUPTABLE 	= 1



strLeftWrapper="["
strRightWrapper="]"

cLoginTable				= "Staff Details"
cUserNameField			= "username"
cPasswordField			= "password"
cUserGroupField			= "username"
cEmailField				= "Email (Habitat mail)"

cFrom 					= "hab.Warden@unhabitat.org"
cSmtpServer 			= "smtp.gmail.com"
cSmtpPort 				= "465"
cSMTPUser				= "eribros2003@gmail.com"
cSMTPPassword			= "eribros2006"


	gPermissionsRefreshTime=0
	gPermissionsRead=false

function db_connect()
	set dbConnection = server.CreateObject("ADODB.Connection")
   	dbConnection.ConnectionString = strConnection
   	dbConnection.Open
end function
function AddTableWrappers(strName)
	if mid(strName,1,1)=strLeftWrapper then
		AddTableWrappers = strName
		exit function
	end if
	dim arr
	arr=split(strName,".")
	ret=strLeftWrapper & arr(0) & strRightWrapper
	if ubound(arr)>0 then ret=ret & "." & strLeftWrapper & arr(1) & strRightWrapper
	AddTableWrappers = ret
end function

function db_upper(dbval)
	db_upper = "ucase(" & dbval & ")"
end function

function AddFieldWrappers(strName)
	if mid(strName,1,1)=strLeftWrapper then
		AddFieldWrappers = strName
	else
		AddFieldWrappers = strLeftWrapper & strName & strRightWrapper
	end if
end function
function FieldNeedQuotes(rs,field)
	ttype=db_fieldtype(rs,field)
	if ttype=20 or ttype=128 or ttype=11 or ttype=6 or ttype=14 or ttype=5 or ttype=3 or ttype=131 _
	or ttype=4	or ttype=2	or ttype=16 or ttype=21 or ttype=19 or ttype=18 or ttype=17 or ttype=139 then
		FieldNeedQuotes = false
	else
		FieldNeedQuotes = true
	end if
end function
function db_addslashes(str)
	db_addslashes = replace(str,"'","''")
end function
function db_datequotes(val)
	db_datequotes = "#" & val & "#"
end function
function db_stripslashesbinary(str)
'//	try to remove ole header for BMP pictures
	pos = instrb(str,unicode2bytes(".Picture"))
	if pos=0 or pos>300 then 
		db_stripslashesbinary = str
		exit function
	end if
	pos1=instrb(pos,str,unicode2bytes("BM"))
	if pos1=0 or pos1>300 then
		db_stripslashesbinary = str
		exit function
	end if
	db_stripslashesbinary = midb(str,pos1)
end function

function db_fieldtype(lhandle,fname)
	Dim i
	for i=0 to db_numfields(lhandle)-1
		if db_fieldname(lhandle,i)=fname then
			ttype=db_fieldtypen(lhandle,i)
			db_fieldtype = ttype
			exit function
		end if
	next
	db_fieldtype = ""
end function
function db_numfields(lhandle)
	db_numfields = lhandle.Fields.Count
end function

function db_fieldname(lhandle,fnumber)
	db_fieldname = lhandle.Fields(fnumber).Name
end function

function db_fieldtypen(lhandle,fnumber)
	db_fieldtypen = lhandle.Fields(fnumber).Type
end function

function date2str(val)
	if isnull(val) then
		date2str=""
		exit function
	end if
	if isdate(val) then
		date2str = CStr(year(val)) & "-" & CStr(month(val)) & "-" & CStr(day(val)) & _
				" " & CStr(hour(val)) & ":" & CStr(minute(val)) & ":" & CStr(second(val))
		exit function
	end if
	date2str=""
end function

Function CalcSearchParameters

	dim ret
	ret=""
	if SESSION(strTableName & "_search")=2 then
	'	 advanced search
		
		set strTableName_asearchfortype = SESSION(strTableName & "_asearchfortype")
		set strTableName_asearchnot = SESSION(strTableName & "_asearchnot")
		set strTableName_asearchopt = SESSION(strTableName & "_asearchopt")
		set strTableName_asearchfor = SESSION(strTableName & "_asearchfor")
		set strTableName_asearchfor2 = SESSION(strTableName & "_asearchfor2")

		sWhere=""
		for each f in strTableName_asearchfor
			strSearchFor=trim(strTableName_asearchfor.item(f))
			strSearchFor2=""
			ttype=strTableName_asearchfortype.item(f)
			
			for each i in strTableName_asearchfor2
				if f=i then strSearchFor2=trim(strTableName_asearchfor2.item(i))
			next
		
			if strSearchFor<>"" or true then
				if sWhere="" then
					if session(strTableName & "_asearchtype")="and" then
						sWhere="1=1"
					else
						sWhere="1=0"
					end if
				end if
				snot=strTableName_asearchnot.item(f)
				strSearchOption=trim(strTableName_asearchopt.Item(f))
				where=""
				where=StrWhereAdv(f, strSearchFor, strSearchOption, strSearchFor2,ttype)
				if where<>"" then
					if snot<>"" then where="not (" & where & ")"
					if SESSION(strTableName & "_asearchtype")="and" then
	   					sWhere=sWhere &  " and " & where
					else
	   					sWhere=sWhere &  " or " & where
	   				end if
				end if
			end if
		next
		ret=whereAdd(ret,sWhere)
	end if
	CalcSearchParameters = ret
End Function

%>

ArtistScope -5 Junior Poster · Answer 3 · 2011-03-19T14:18:14+00:00

Add a new include file for your new functions (at the top of the page), keeping it separate from commonfunctions.asp which may be overwritten if you are using an ASP generator application?

Passing a username field should not be a risk if it's filtered.

erioch 0 Light Poster · Answer 4 · 2011-03-19T14:48:41+00:00

Hi,

It seems to be working well now... It is replacing the unwanted characters well... I have liked the site and very soon, maybe next month, am considering contributing to the work...

Regards,

Erick