|
Cross Site scripting hack test form |
One of the more basic cross site scripting hacks is where the user simply 'injects' other web templates into yours, using a form.
By submitting a string through a form and allowing it to return the value in an unencoded format a user can inject malicious code. In this example we will create a frameset, and set the source as a different domain than the originating site.
To test this yourself create a simply form, and set the value of the text field to the value that the user enters.
2
3<form method="post">
4
5<input type="text" name="formValue" size="30" value="<cfoutput>#form.formValue#</cfoutput>">
6<input type="submit" name="Action" value="Send">
7
8</form>
I'm using ColdFusion, but the language itself doesn't matter, the vulnerability is the same. Next submit the form using a string like the one below. This string is built up of the form field name, and a valid html frameset, surrounded by escape characters.
Submit the form, and you will be returned to the same template, but it has translated the html string, and is now proudly displaying someone else's site on your domain.
This is only possible because the form is returning the form value in raw html. You can eliminate this issue by simply adding a html stripping routine to the form. Something like HTMLCodeFormat replaces special characters in a string with their HTML-escaped equivalents.
|
SQL Stored Procedures, UPDATE Template script |
This article deals with creating a SQL stored procedure for Updating a record.
In each of these stored procedure templates I am declaring a variety of documentation parameters in the header.
I've found these handy in the past when you are working in a team environment, or when you go back to a procedure at a later date. Its much easier to read a simple description in the header, than trawl through the SQL code looking for what it is doing.
So, this declares the procedure name, any parameters and return codes, and also details what it does, and who made it.
In a modified version of this I also hold the SVN revision number here.
2/* Company Name */
3/********************************************************************************/
4/* Procedure Name : dbo.ssp_stored_procname */
5/* Parameters : */
6/* Return Codes : */
7/* */
8/* Description : Description of what it does, params etc */
9/* */
10/* */
11/* */
12/* */
13/* */
14/* Author : Authorname */
15/* Date written : Date */
16/* History : version number */
17/* */
18/********************************************************************************/
The next block of code performs a select on the sysObjects table (part of the Master database). It is checking for the existence of itself. If it finds itself, it will drop the procedure. Note that throughout all of these scripts we are telling the user at each stage what is going on, by printing useful english output back to the screen.
2BEGIN
3 PRINT 'Dropping old version of dbo.ssp_stored_procname'
4 DROP PROCEDURE dbo.ssp_stored_procname
5END
6GO
By now we have identified whether or not the procedure previously existed, and if it did, we have dropped it, so we know that we are all good to go. So to create our Update procedure, we print out a message to the user, then using the "CREATE PROCEDURE" command we create our procedure.
At this point you substitute the "@field" value with your field name, and the [datatype] and (datasize) with the correct values. Just list your fields one after another, seperating with a comma. As this is creating an Update stored procedure I will list any of the values to update in the query here.
2GO
3
4CREATE PROCEDURE dbo.ssp_stored_procname
5 (@field [datatype](datasize),
6 @field [datatype],
7 @field [datatype](datasize),
8 @field [datatype](datasize),
9 @field [datatype],
10 @field [datatype])
After that we create the SQL code, as per usual. We have an Update statement, using the variables declared above in the SQL variable declaration (@var). Just write out your update like you normally would here. Then we check for any errors, and return a success message if it all worked ok!
2SET [field] = @field,
3 [field] = @field,
4 [field] = @field,
5 [field] = @field,
6 [field] = @field
7WHERE
8 ( [field] = @conditions)
9RETURN @@ERROR
10GO
11PRINT 'Creating procedure dbo.ssp_stored_procname - END'
12GO
Download the full template here.
|
SQL Stored Procedures, SELECT Template script |
This article deals with creating a SQL stored procedure for selecting a record.
In each of these stored procedure templates I am declaring a variety of documentation parameters in the header.
I've found these handy in the past when you are working in a team environment, or when you go back to a procedure at a later date. Its much easier to read a simple description in the header, than trawl through the SQL code looking for what it is doing.
So, this declares the procedure name, any parameters and return codes, and also details what it does, and who made it.
In a modified version of this I also hold the SVN revision number here.
2/* Company Name */
3/********************************************************************************/
4/* Procedure Name : dbo.ssp_stored_procname */
5/* Parameters : */
6/* Return Codes : */
7/* */
8/* Description : Description of what it does, params etc */
9/* */
10/* */
11/* */
12/* */
13/* */
14/* Author : Authorname */
15/* Date written : Date */
16/* History : version number */
17/* */
18/********************************************************************************/
The next block of code performs a select on the sysObjects table (part of the Master database). It is checking for the existence of itself. If it finds itself, it will drop the procedure. Note that throughout all of these scripts we are telling the user at each stage what is going on, by printing useful english output back to the screen.
2BEGIN
3 PRINT 'Dropping old version of dbo.ssp_stored_procname'
4 DROP PROCEDURE dbo.ssp_stored_procname
5END
6GO
By now we have identified wether or not the procedure previously existed, and if it did, we have dropped it, so we know that we are all good to go. So to create our Insert procedure, we print out a message to the user, then using the "CREATE PROCEDURE" command we create our procedure.
At this point you substitute the "@field" value with your field name, and the [datatype] and (datasize) with the correct values. As an example of this the first line in this proc will create a field named 'varName' with a data type of varchar with a character limit of 100. Just list your fields one after another, seperating with a comma.
2GO
3
4CREATE PROCEDURE dbo.ssp_stored_procname
5 (varName [varchar](100),
6 @field [int],
7 @field [datatype](datasize),
8 @field [datatype],
9 @field [datatype],
10 @field [datatype])
After that we create the SQL code, as per usual. We have a Select statement, listing the fields, and the SQL variable declaration (@var). Then we check for any errors, and return a success message if it all worked ok!
2from Table
3Where (Conditions)
4RETURN @@ERROR
5GO
6
7PRINT 'Creating procedure dbo.ssp_stored_procname - END'
8GO
By using a script like this I've found that its really simple to have a repeatable standard process that is easy to implement across a team of developers, ensuring you get the same results, no matter who writes the query. It is also very useful if you have a seperate implementation team, as these scripts are re-runnable, they clear up after themselves.
Download the full template here.
|
SQL Stored Procedures, INSERT Template script |
This article deals with creating a SQL stored procedure for inserting a record.
In each of these stored procedure templates I am declaring a variety of documentation parameters in the header.
I've found these handy in the past when you are working in a team environment, or when you go back to a procedure at a later date. Its much easier to read a simple description in the header, than trawl through the SQL code looking for what it is doing.
So, this declares the procedure name, any parameters and return codes, and also details what it does, and who made it.
In a modified version of this I also hold the SVN revision number here.
2/* Company Name */
3/********************************************************************************/
4/* Procedure Name : dbo.ssp_stored_procname */
5/* Parameters : */
6/* Return Codes : */
7/* */
8/* Description : Description of what it does, params etc */
9/* */
10/* */
11/* */
12/* */
13/* */
14/* Author : Authorname */
15/* Date written : Date */
16/* History : version number */
17/* */
18/********************************************************************************/
The next block of code performs a select on the sysObjects table (part of the Master database). It is checking for the existence of itself. If it finds itself, it will drop the procedure. Note that throughout all of these scripts we are telling the user at each stage what is going on, by printing useful english output back to the screen.
2BEGIN
3 PRINT 'Dropping old version of dbo.ssp_stored_procname'
4 DROP PROCEDURE dbo.ssp_stored_procname
5END
6GO
By now we have identified wether or not the procedure previously existed, and if it did, we have dropped it, so we know that we are all good to go. So to create our Insert procedure, we print out a message to the user, then using the "CREATE PROCEDURE" command we create our procedure.
At this point you substitute the "@field" value with your field name, and the [datatype] and (datasize) with the correct values. As an example of this the first line in this proc will create a field named 'varName' with a data type of varchar with a character limit of 100. Just list your fields one after another, seperating with a comma.
2GO
3
4CREATE PROCEDURE dbo.ssp_stored_procname
5 (varName [varchar](100),
6 @field [int],
7 @field [datatype](datasize),
8 @field [datatype],
9 @field [datatype],
10 @field [datatype])
After that we create the SQL code, as per usual. We have an Insert statement, listing the fields, and the SQL variable declaration (@var). Then we check for any errors, and return a success message if it all worked ok!
2 ([field],
3 [field],
4 [field],
5 [field],
6 [field],
7 [field])
8VALUES
9 (@field,
10 @field,
11 @field,
12 @field,
13 @field,
14 @field)
15
16RETURN @@ERROR
17GO
18
19PRINT 'Creating procedure dbo.ssp_stored_procname - END'
20GO
By using a script like this I've found that its really simple to have a repeatable standard process that is easy to implement across a team of developers, ensuring you get the same results, no matter who writes the query. It is also very useful if you have a seperate implementation team, as these scripts are re-runnable, they clear up after themselves.
Download the full template here.