Security help please

[Paul M]

Hi
Can someone please help detect any vulnerabilities in this method where
people can update there own registration details.
Here is how it works
I have created a select statement using the DRW which queries the username
and password against an access database and returns the resulting record set
on another page as a form.
The user can then edit there details.
When the form is submitted it sent to an update.asp.The update.asp is a copy
of the one created by the DIW, I have simply removed the login asa and
supporting asp code.
Here is the url.I have created a username " testing" and password "testing"
The first login page allows you to enter the database search members area
and has nothing to do with the update statement

http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp

Thanyou
Paul M

 

[Stefan B Rusynko]

You are using client side form field validation, but don't rely on it
- make sure you are also using server side validation in
http://www.ingenious-group.com/databasesearchlogonvalidation.asp
to check all inputs and block any attempts at sql injection
(see for instance http://www.securiteam.com/securityreviews/5DP0N1P76E.html)



| Hi
| Can someone please help detect any vulnerabilities in this method where
| people can update there own registration details.
| Here is how it works
| I have created a select statement using the DRW which queries the username
| and password against an access database and returns the resulting record set
| on another page as a form.
| The user can then edit there details.
| When the form is submitted it sent to an update.asp.The update.asp is a copy
| of the one created by the DIW, I have simply removed the login asa and
| supporting asp code.
| Here is the url.I have created a username " testing" and password "testing"
| The first login page allows you to enter the database search members area
| and has nothing to do with the update statement
|
| http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
|
| Thanyou
| Paul M
|
|
|

 

[Kevin Spencer]

Hi Paul,

First, the Password field should not be a text input field. It should be a
password input field, that shows only asterisks. This prevents anyone who
comes by from reading the password if the browser is left open after the
current user leaves the room.

Second, how secure do you want this to be? The user name, password, and user
information in the last page are transmitted over the Internet via HTTP as
plain text. A packet sniffer could pick up this data quite easily. To be
more secure, use a secure certificate on your web server and the HTTPS
protocol.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

 

[Paul M]

Hi
Basicaly I dont want anyone to be able to access and change/delete someone
elses information .The information itself is not top secret.
Paul M

 

[Paul M]

Thanks Stefan
But surely the sql is part of the asp and cannot be been by the browser?
How do I acheve server side validation?
Paul M

 

[Stefan B Rusynko]

sql injection means injecting something (from your form) into your validation page processed by your server side code that causes
the sql code there (managing your db) to react adversely
You write your asp code to check for valid input data and block invalid input data from the form
- no different than your client side code checks some, but not all, of the input from a user
- read the link I posted as a start




| Thanks Stefan
| But surely the sql is part of the asp and cannot be been by the browser?
| How do I acheve server side validation?
| Paul M
|
| | > You are using client side form field validation, but don't rely on it
| > - make sure you are also using server side validation in
| > http://www.ingenious-group.com/databasesearchlogonvalidation.asp
| > to check all inputs and block any attempts at sql injection
| > (see for instance
| > http://www.securiteam.com/securityreviews/5DP0N1P76E.html)
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi
| > | Can someone please help detect any vulnerabilities in this method where
| > | people can update there own registration details.
| > | Here is how it works
| > | I have created a select statement using the DRW which queries the
| > username
| > | and password against an access database and returns the resulting record
| > set
| > | on another page as a form.
| > | The user can then edit there details.
| > | When the form is submitted it sent to an update.asp.The update.asp is a
| > copy
| > | of the one created by the DIW, I have simply removed the login asa and
| > | supporting asp code.
| > | Here is the url.I have created a username " testing" and password
| > "testing"
| > | The first login page allows you to enter the database search members
| > area
| > | and has nothing to do with the update statement
| > |
| > |
| > http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > |
| > | Thanyou
| > | Paul M
| > |
| > |
| > |
| >
| >
|
|

 

[Paul M]

Hi Stefan
I am trying to add the following asp to the vaidation page which is supposed
to change single quotas to double where do I put it
<%

function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''")
end function

%>



Thanks paul m

sql injection means injecting something (from your form) into your
validation page processed by your server side code that causes
the sql code there (managing your db) to react adversely
You write your asp code to check for valid input data and block invalid
input data from the form
- no different than your client side code checks some, but not all, of the
input from a user
- read the link I posted as a start




| Thanks Stefan
| But surely the sql is part of the asp and cannot be been by the browser?
| How do I acheve server side validation?
| Paul M
|
| | > You are using client side form field validation, but don't rely on it
| > - make sure you are also using server side validation in
| > http://www.ingenious-group.com/databasesearchlogonvalidation.asp
| > to check all inputs and block any attempts at sql injection
| > (see for instance
| > http://www.securiteam.com/securityreviews/5DP0N1P76E.html)
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi
| > | Can someone please help detect any vulnerabilities in this method
where
| > | people can update there own registration details.
| > | Here is how it works
| > | I have created a select statement using the DRW which queries the
| > username
| > | and password against an access database and returns the resulting
record
| > set
| > | on another page as a form.
| > | The user can then edit there details.
| > | When the form is submitted it sent to an update.asp.The update.asp
is a
| > copy
| > | of the one created by the DIW, I have simply removed the login asa
and
| > | supporting asp code.
| > | Here is the url.I have created a username " testing" and password
| > "testing"
| > | The first login page allows you to enter the database search members
| > area
| > | and has nothing to do with the update statement
| > |
| > |
| >
http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > |
| > | Thanyou
| > | Paul M
| > |
| > |
| > |
| >
| >
|
|

 

[Stefan B Rusynko]

See responses to your post in the programming newsgroup




| Hi Stefan
| I am trying to add the following asp to the vaidation page which is supposed
| to change single quotas to double where do I put it
| <%
|
| function stripQuotes(strWords)
| stripQuotes = replace(strWords, "'", "''")
| end function
|
| %>
|
|
|
| Thanks paul m
|
|
|
| | > sql injection means injecting something (from your form) into your
| > validation page processed by your server side code that causes
| > the sql code there (managing your db) to react adversely
| > You write your asp code to check for valid input data and block invalid
| > input data from the form
| > - no different than your client side code checks some, but not all, of the
| > input from a user
| > - read the link I posted as a start
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | But surely the sql is part of the asp and cannot be been by the browser?
| > | How do I acheve server side validation?
| > | Paul M
| > |
| > | | > | > You are using client side form field validation, but don't rely on it
| > | > - make sure you are also using server side validation in
| > | > http://www.ingenious-group.com/databasesearchlogonvalidation.asp
| > | > to check all inputs and block any attempts at sql injection
| > | > (see for instance
| > | > http://www.securiteam.com/securityreviews/5DP0N1P76E.html)
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi
| > | > | Can someone please help detect any vulnerabilities in this method
| > where
| > | > | people can update there own registration details.
| > | > | Here is how it works
| > | > | I have created a select statement using the DRW which queries the
| > | > username
| > | > | and password against an access database and returns the resulting
| > record
| > | > set
| > | > | on another page as a form.
| > | > | The user can then edit there details.
| > | > | When the form is submitted it sent to an update.asp.The update.asp
| > is a
| > | > copy
| > | > | of the one created by the DIW, I have simply removed the login asa
| > and
| > | > | supporting asp code.
| > | > | Here is the url.I have created a username " testing" and password
| > | > "testing"
| > | > | The first login page allows you to enter the database search members
| > | > area
| > | > | and has nothing to do with the update statement
| > | > |
| > | > |
| > | >
| > http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > | > |
| > | > | Thanyou
| > | > | Paul M
| > | > |
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|