OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Web Forms filtered with SQL constraints

From: Emil Filipov (tieeinet.bg)
Date: Wed Oct 13 2004 - 04:31:51 CDT

You cannot hide the page source.PERIOD.

Try for example to hide your page source from this CGI:
http://python.morp.org/harpy/

The script will make an HTTP query to the server and then show the full
HTTP response, along with the page source and any Jscript that may be
inside (trucated to 10 000 bytes currently, but that's a restriction
that can be easily removed)

Dr Death wrote:

> i have some scripts that hid your page source.
>
> Dr.Death
>
>> From: Bénoni MARTIN <Benoni.MARTINlibertis.ga>
>> To: "RSnake" <rsnakeshocking.com>, <webappsecsecurityfocus.com>
>> Subject: RE: Web Forms filtered with SQL constraints
>> Date: Fri, 8 Oct 2004 17:09:21 +0100
>>
>> Hi !
>>
>> Thanks for the reply, it's as I was thinking about ! I went on the
>> web to get some more infos about that, and I found this article:
>> http://www.developerfusion.com/show/4325/
>>
>> So some tell this is a good idea, others say it's not, so I am lost
>> :( :)
>>
>>
>> -----Message d'origine-----
>> De : RSnake [mailto:rsnakeshocking.com]
>> Envoyé : vendredi 8 octobre 2004 01:42
>> À : webappsecsecurityfocus.com
>> Cc : Bénoni MARTIN
>> Objet : Re: Web Forms filtered with SQL constraints
>>
>>
>> Nothing you do at the client side can be hidden. I can write a
>> client that downloads the source, or watch it via a proxy, or
>> look at the cache, etc.... don't even bother trying. You
>> should consider anything client side as protection from
>> inadvertant mistakes by users only, and you should always have a
>> fall back filter in place to catch the errors before they do any
>> damage.
>>
>> On Wed, 6 Oct 2004, Ian wrote:
>>
>> | Date: Wed, 06 Oct 2004 09:52:03 +0100
>> | From: Ian <webappsec2fishnet.co.uk>
>> | Reply-To: webappsecsecurityfocus.com
>> | To: "[ISO-8859-1] Bénoni MARTIN" <Benoni.MARTINlibertis.ga>,
>> | webappsecsecurityfocus.com
>> | Subject: Re: Web Forms filtered with SQL constraints
>> |
>> | On 5 Oct 2004 at 13:25, Bénoni MARTIN wrote:
>> |
>> | > Hi list !
>> | >
>> | > I was wondering how to solve the 2 following problems: I have ASP
>> | > (not
>> | > ASP.NET) formulaires people have to fill in. To avoid SQ injection
>> | > attacks and other tricks, I have set up some Jscript filtering on
>> each field (i.e.
>> | > for instance a name can just be alphabet's characters and no figures
>> | > :) ), and I am planning to do the same on my Database (setting up
>> constraints).
>> | >
>> | >
>> | > But I have 2 questions: - How can I hide my Jscript filtering
>> from the
>> | > user ? When I want to see the source, everything is diaplayed, quite
>> | > normal :( ... Maybe it's not so good to tell people what I have done
>> | > to filter them :) I saw some sites where it is impossible to see the
>> | > source, impossible to "hoover the site", impossible even to print
>> | > ... But I have not been able to find on the net how to do this :(
>> | >
>> | > - How can I deal with possible SQL errors within an ASP page ? I
>> | > mean, if a field has been filled in, bypass my Jscript filtering (no
>> | > matter how), and gets to the database but is then "stopped" by an
>> | > SQL onstraint, how do I raise this error on an ASP page without
>> | > diplaying an explicit error (giving the user the name of my
>> database for instance) ?
>> | >
>> | > Cheers for any clue, I am lost on this topic :(
>> |
>> | Hi,
>> |
>> | Using classic ASP with vbscript you would add this to the top of
>> the page:
>> |
>> | <% on error resume next %>
>> |
>> | Then after every SQL query:
>> |
>> | <%
>> | if err then
>> | Response.write "There was a database error"
>> | ' Log to error to file
>> | end if
>> | %>
>> |
>> | I think the equivalent in JScript is the Try, Catch, Finally:
>> |
>> | http://msdn.microsoft.com/library/default.asp?url=/library/en-
>> | us/script56/html/js56jslrfjscripterrorstoc.asp
>> |
>> | Hope this helps
>> |
>> | Ian
>> | --
>> |
>> |
>> |
>> |
>> |
>>
>> -R
>>
>> The information in this email is confidential and may be legally
>> privileged. It is intended solely for the addressee. Access to this
>> email by anyone else is unauthorized. If you are not the intended
>> recipient, any disclosure, copying, distribution or any action taken
>> or omitted to be taken in reliance on it is expressly prohibited and
>> may be unlawful.
>>
>
>
>
>
>