2008-10-10

Ghetto Input validation.

I was consulting on a project a few months ago that had very little budget but kept getting hacked weekly. The application was in ASP but that does not really matter for the point that I'm about to make. Since they had very little money and very little time and I wanted to perform very strict input validation I came up with a solution that I am surprised that I have never seen before. Why not just validate the entire query string instead of individual parameters. The entire site has very few post parameters and kept getting hacked through all the GET parameters so I wrote a simple ASP script that I could add to the beginning of every page. If that validation failed then the whole site would redirect to error otherwise execute the page code. I validated the post params individually since there where so few. I know that really what these guys needed to do was use bindable queries but there was aaaaallloottt of SQL and they only accepted alpha numeric, upper and lower case letters. Can anyone think of a reason how this could be exploitable. One quick statement and we stopped all XSS and SQL injection attacks against this site.  These guys where also a very small business that could not afford to be down for days while the code was being developed. For an enterprise I would prolly would not recommend this but for a small startup or local business then I think this could really help.

 

Here is my Classic ASP code.

Validation.asp

Function ValidateQueryString( input)
    Dim re
    Set re = New RegExp
    ' alphanumeric regular expression
    re.global = True
    re.Pattern = "^[a-zA-Z0-9\=\&\ ]+$"
    re.Test(input)
    if(re.Test(input) or input = "") then
        ValidateQueryString = True
    else
        ValidateQueryString = False
    end if
End Function

 

every page will include this line at the top...

<!--#include file="Validation.asp" -->
<%
if(ValidateQueryString(request.QueryString) = False) then
    response.redirect("error.asp")
end if
%>

1 comment:

Rob said...

I believe that this is somewhat similar to the approach used by Microsoft's Anti-XSS HttpModule. It looks for forms in pages and applies filters / encoding to all inputs and outputs on / from a page.