Keeping the querystring-injectors out - Postet den (3678 Views)
MarcelG
Retired Support Moderator
MarcelG
Innlegg: 2625
2625
I'm a bit paranoia when it gets to websitesecurity. I often see people active on my websites who are trying to perform strange pagerequests, with stuff like TOPIC_ID=100+1+1+AND' etc. To keep those people out (and send them a message) I've implemented the following lines of code in config.asp, before the database is even opened. What it does is this:
- it checks for the various numeric querystrings used by Snitz to see if they are numeric or not. - if they're not empty but also not numeric, the user is redirected to a 401 page, which tells them that they're busted.
Example: http://oxle.com/topic.asp?topic_id=6205+lamehackattack$
(Warning, my 401 page is pretty rude...cool)
You can extend this with custom numeric querystrings used on your forum, for for example the blogmod, download mods etc.
Code:
'let us keep out the querystring injectors before we open up the SQL connection
if Request.QueryString("id") <> "" and IsNumeric(Request.QueryString("id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("TOPIC_ID") <> "" and IsNumeric(Request.QueryString("TOPIC_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("REPLY_ID") <> "" and IsNumeric(Request.QueryString("REPLY_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("forum_id") <> "" and IsNumeric(Request.QueryString("forum_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("cat_id") <> "" and IsNumeric(Request.QueryString("cat_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if

'end of the querystring injectors protection
This code is put in config.asp above the line that starts with this:
Code:
dim strDBType,

Make sure you create a 401.asp page so that the viewer is notified he's being watched. Or redirect to something else instead, that's also possible of course.
I've tried to get as many numeric querystrings in here as I could think of, but if you know one that I've missed, please let me know.
***** EDIT: code fixed, Carefree spotted a missing end if*****
portfolio - linkshrinker - oxle - twitter
Sist redigert av
   
 Sidestørrelse 
Postet den
HuwR
Forum Admin
HuwR
Innlegg: 20611
20611
your forum should be perfectly safe without the need to do this, Snitz already ensures that a valid number is passed in order to prevent injection
Postet den
MarcelG
Retired Support Moderator
MarcelG
Innlegg: 2625
2625
Yes, I know. But still, I want to send them a message....wink
BTW, I seem to have broken it, so I'm trying to figure out what's happening now...strange.
portfolio - linkshrinker - oxle - twitter
Postet den
bobby131313
Senior Member
bobby131313
Innlegg: 1163
1163
I like redirecting buttheads here. tongue
Switch the order of your title tags
Postet den
HuwR
Forum Admin
HuwR
Innlegg: 20611
20611
Originally posted by MarcelG
Yes, I know. But still, I want to send them a message....wink
BTW, I seem to have broken it, so I'm trying to figure out what's happening now...strange.
looks like it's working to me
Postet den
Etymon
Advanced Member
Etymon
Innlegg: 2396
2396
Looks good.
I tried ... http://oxle.com/topic.asp?topic_id=6205&whichpage=-1+1+1+AND and got flagged. smile
Postet den
Podge
Support Moderator
Podge
Innlegg: 3776
3776
Marcel, if you want to be thorough you should add a check to test if the value is numeric and greater than zero. Technically -1 is numeric but not valid as a Snitz querystring AFAIK.
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Postet den
AnonJr
Forum Moderator
AnonJr
Innlegg: 5768
5768
Originally posted by Podge
Marcel, if you want to be thorough you should add a check to test if the value is numeric and greater than zero. Technically -1 is numeric but not valid as a Snitz querystring AFAIK.
It is valid for the whichpage variable IIRC...
Postet den
HuwR
Forum Admin
HuwR
Innlegg: 20611
20611
yes, -1 is valid for the whichpage variable
Postet den
Carefree
Advanced Member
Carefree
Innlegg: 4224
4224
Code:

if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
You're missing an
Code:
end if
Postet den
MarcelG
Retired Support Moderator
MarcelG
Innlegg: 2625
2625
No I'm not.
wink
portfolio - linkshrinker - oxle - twitter
Du må legge inn en melding