Shaun Mccran

My digital playground

06
A
P
R
2009

Cross Site scripting hack test form

One of the more basic cross site scripting hacks is where the user simply 'injects' other web templates into yours, using a form.

By submitting a string through a form and allowing it to return the value in an unencoded format a user can inject malicious code. In this example we will create a frameset, and set the source as a different domain than the originating site.

To test this yourself create a simply form, and set the value of the text field to the value that the user enters.

view plain print about
1<cfparam name="form.formValue" default="">
2
3<form method="post">
4
5<input type="text" name="formValue" size="30" value="<cfoutput>#form.formValue#</cfoutput>">
6<input type="submit" name="Action" value="Send">
7
8</form>

I'm using ColdFusion, but the language itself doesn't matter, the vulnerability is the same. Next submit the form using a string like the one below. This string is built up of the form field name, and a valid html frameset, surrounded by escape characters.

view plain print about
1formValue=>"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.google.com width=900 height=1100></IfRamE>

Submit the form, and you will be returned to the same template, but it has translated the html string, and is now proudly displaying someone else's site on your domain.

This is only possible because the form is returning the form value in raw html. You can eliminate this issue by simply adding a html stripping routine to the form. Something like HTMLCodeFormat replaces special characters in a string with their HTML-escaped equivalents.

view plain print about
1#HTMLCodeFormat(form.formValue)#

17
M
A
R
2009

SQL Stored Procedures, UPDATE Template script

This article deals with creating a SQL stored procedure for Updating a record.

In each of these stored procedure templates I am declaring a variety of documentation parameters in the header.

I've found these handy in the past when you are working in a team environment, or when you go back to a procedure at a later date. Its much easier to read a simple description in the header, than trawl through the SQL code looking for what it is doing.

So, this declares the procedure name, any parameters and return codes, and also details what it does, and who made it.

In a modified version of this I also hold the SVN revision number here.

view plain print about
1/********************************************************************************/
2/*         Company Name                             */
3/********************************************************************************/
4/* Procedure Name : dbo.ssp_stored_procname */
5/* Parameters : */
6/* Return Codes : */
7/* */
8/* Description : Description of what it does, params etc */
9/* */
10/* */
11/* */
12/* */
13/* */
14/* Author : Authorname */
15/* Date written : Date */
16/* History : version number */
17/* */
18/********************************************************************************/

The next block of code performs a select on the sysObjects table (part of the Master database). It is checking for the existence of itself. If it finds itself, it will drop the procedure. Note that throughout all of these scripts we are telling the user at each stage what is going on, by printing useful english output back to the screen.

view plain print about
1IF EXISTS (SELECT 1 FROM sysobjects where id = object_id('dbo.ssp_stored_procname') and sysstat & 0xf = 4)
2BEGIN
3    PRINT 'Dropping old version of dbo.ssp_stored_procname'
4    DROP PROCEDURE dbo.ssp_stored_procname
5END
6GO

By now we have identified whether or not the procedure previously existed, and if it did, we have dropped it, so we know that we are all good to go. So to create our Update procedure, we print out a message to the user, then using the "CREATE PROCEDURE" command we create our procedure.

At this point you substitute the "@field" value with your field name, and the [datatype] and (datasize) with the correct values. Just list your fields one after another, seperating with a comma. As this is creating an Update stored procedure I will list any of the values to update in the query here.

view plain print about
1PRINT 'Creating procedure dbo.ssp_stored_procname - START'
2GO
3
4CREATE PROCEDURE dbo.ssp_stored_procname
5    (@field         [datatype](datasize),
6     @field         [datatype],
7     @field        [datatype](datasize),
8     @field        [datatype](datasize),
9     @field        [datatype],
10     @field        [datatype])

After that we create the SQL code, as per usual. We have an Update statement, using the variables declared above in the SQL variable declaration (@var). Just write out your update like you normally would here. Then we check for any errors, and return a success message if it all worked ok!

view plain print about
1AS UPDATE tablename
2SET [field]     = @field,
3 [field]     = @field,
4 [field]     = @field,
5 [field]     = @field,
6 [field]     = @field
7WHERE
8    ( [field] = @conditions)
9RETURN @@ERROR
10GO
11PRINT 'Creating procedure dbo.ssp_stored_procname - END'
12GO
By using a script like this I've found that its really simple to have a repeatable standard process that is easy to implement across a team of developers, ensuring you get the same results, no matter who writes the query. It is also very useful if you have a seperate implementation team, as these scripts are re-runnable, they clear up after themselves.

Download the full template here.

10
M
A
R
2009

SQL Stored Procedures, SELECT Template script

This article deals with creating a SQL stored procedure for selecting a record.

In each of these stored procedure templates I am declaring a variety of documentation parameters in the header.

I've found these handy in the past when you are working in a team environment, or when you go back to a procedure at a later date. Its much easier to read a simple description in the header, than trawl through the SQL code looking for what it is doing.

So, this declares the procedure name, any parameters and return codes, and also details what it does, and who made it.

In a modified version of this I also hold the SVN revision number here.

view plain print about
1/********************************************************************************/
2/*         Company Name                             */
3/********************************************************************************/
4/* Procedure Name : dbo.ssp_stored_procname */
5/* Parameters : */
6/* Return Codes : */
7/* */
8/* Description : Description of what it does, params etc */
9/* */
10/* */
11/* */
12/* */
13/* */
14/* Author : Authorname */
15/* Date written : Date */
16/* History : version number */
17/* */
18/********************************************************************************/

The next block of code performs a select on the sysObjects table (part of the Master database). It is checking for the existence of itself. If it finds itself, it will drop the procedure. Note that throughout all of these scripts we are telling the user at each stage what is going on, by printing useful english output back to the screen.

view plain print about
1IF EXISTS (SELECT 1 FROM sysobjects where id = object_id('dbo.ssp_stored_procname') and sysstat & 0xf = 4)
2BEGIN
3    PRINT 'Dropping old version of dbo.ssp_stored_procname'
4    DROP PROCEDURE dbo.ssp_stored_procname
5END
6GO

By now we have identified wether or not the procedure previously existed, and if it did, we have dropped it, so we know that we are all good to go. So to create our Insert procedure, we print out a message to the user, then using the "CREATE PROCEDURE" command we create our procedure.

At this point you substitute the "@field" value with your field name, and the [datatype] and (datasize) with the correct values. As an example of this the first line in this proc will create a field named 'varName' with a data type of varchar with a character limit of 100. Just list your fields one after another, seperating with a comma.

view plain print about
1PRINT 'Creating procedure dbo.ssp_stored_procname - START'
2GO
3
4CREATE PROCEDURE dbo.ssp_stored_procname
5    (varName        [varchar](100),
6     @field             [int],
7     @field            [datatype](datasize),
8     @field            [datatype],
9     @field            [datatype],
10     @field            [datatype])

After that we create the SQL code, as per usual. We have a Select statement, listing the fields, and the SQL variable declaration (@var). Then we check for any errors, and return a success message if it all worked ok!

view plain print about
1Select Fields
2from Table
3Where (Conditions)
4RETURN @@ERROR
5GO
6
7PRINT 'Creating procedure dbo.ssp_stored_procname - END'
8GO

By using a script like this I've found that its really simple to have a repeatable standard process that is easy to implement across a team of developers, ensuring you get the same results, no matter who writes the query. It is also very useful if you have a seperate implementation team, as these scripts are re-runnable, they clear up after themselves.

Download the full template here.

04
M
A
R
2009

SQL Stored Procedures, INSERT Template script

This article deals with creating a SQL stored procedure for inserting a record.

In each of these stored procedure templates I am declaring a variety of documentation parameters in the header.

I've found these handy in the past when you are working in a team environment, or when you go back to a procedure at a later date. Its much easier to read a simple description in the header, than trawl through the SQL code looking for what it is doing.

So, this declares the procedure name, any parameters and return codes, and also details what it does, and who made it.

In a modified version of this I also hold the SVN revision number here.

view plain print about
1/********************************************************************************/
2/*         Company Name                             */
3/********************************************************************************/
4/* Procedure Name : dbo.ssp_stored_procname */
5/* Parameters : */
6/* Return Codes : */
7/* */
8/* Description : Description of what it does, params etc */
9/* */
10/* */
11/* */
12/* */
13/* */
14/* Author : Authorname */
15/* Date written : Date */
16/* History : version number */
17/* */
18/********************************************************************************/

The next block of code performs a select on the sysObjects table (part of the Master database). It is checking for the existence of itself. If it finds itself, it will drop the procedure. Note that throughout all of these scripts we are telling the user at each stage what is going on, by printing useful english output back to the screen.

view plain print about
1IF EXISTS (SELECT 1 FROM sysobjects where id = object_id('dbo.ssp_stored_procname') and sysstat & 0xf = 4)
2BEGIN
3    PRINT 'Dropping old version of dbo.ssp_stored_procname'
4    DROP PROCEDURE dbo.ssp_stored_procname
5END
6GO

By now we have identified wether or not the procedure previously existed, and if it did, we have dropped it, so we know that we are all good to go. So to create our Insert procedure, we print out a message to the user, then using the "CREATE PROCEDURE" command we create our procedure.

At this point you substitute the "@field" value with your field name, and the [datatype] and (datasize) with the correct values. As an example of this the first line in this proc will create a field named 'varName' with a data type of varchar with a character limit of 100. Just list your fields one after another, seperating with a comma.

view plain print about
1PRINT 'Creating procedure dbo.ssp_stored_procname - START'
2GO
3
4CREATE PROCEDURE dbo.ssp_stored_procname
5    (varName        [varchar](100),
6     @field             [int],
7     @field            [datatype](datasize),
8     @field            [datatype],
9     @field            [datatype],
10     @field            [datatype])

After that we create the SQL code, as per usual. We have an Insert statement, listing the fields, and the SQL variable declaration (@var). Then we check for any errors, and return a success message if it all worked ok!

view plain print about
1AS INSERT INTO table
2     ([field],
3     [field],
4     [field],
5     [field],
6     [field],
7     [field])
8VALUES
9    (@field,
10     @field,
11     @field,
12     @field,
13     @field,
14     @field)
15
16RETURN @@ERROR
17GO
18
19PRINT 'Creating procedure dbo.ssp_stored_procname - END'
20GO

By using a script like this I've found that its really simple to have a repeatable standard process that is easy to implement across a team of developers, ensuring you get the same results, no matter who writes the query. It is also very useful if you have a seperate implementation team, as these scripts are re-runnable, they clear up after themselves.

Download the full template here.

_UNKNOWNTRANSLATION_ /