Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

vbscript to javascript

  • 21-10-2008 2:09pm
    #1
    adm
    Registered Users, Registered Users 2 Posts: 342 ✭✭


    Hi i just been handed a terrible old classic asp site thats been hit with xss attacks.

    i found somewhere this code in vbscript to help protect sites but my site uses
    javascipt as it's server side language so i was wondering if
    anyone who knew javascript better than I could convert the vbscript or
    show me something similar i could use with javascript.
    It's basically checks the querystring for dubious content.
    vbscript is:
    ' Code for preventing SQL Injection

array_split_item = Array("–", ";", "/*", "*/", "@@", "@",

                  "char", "nchar", "varchar", "nvarchar",

                  "alter", "begin", "cast", "create", "cursor",

                  "declare", "delete", "drop", "end", "exec",

                  "execute", "fetch", "insert", "kill", "open",

                  "select", "sys", "sysobjects", "syscolumns",

                  "table", "update", "<script", "</script>", "'")

for each item in Request.QueryString

    for array_counter = lbound(array_split_item) to ubound(array_split_item)

       

        item_postion1 = InStr(lcase(Request(item)),array_split_item(array_counter))

        'Response.Write(array_split_item(array_counter) & "<br>")

       

        if item_postion1 > 0  then

            Response.Write("Command cannot be executed.")

            Response.End()

        end if

    next

next


Comments

  • #2
    none
    Registered Users, Registered Users 2 Posts: 569 ✭✭✭none


    Try something along these lines (main difference in curly braces and semicolns):
    var array_split_item = new Array("&#8211;", ";", "/*", "*/", "@@", "@",
							"char", "nchar", "varchar", "nvarchar",
							"alter", "begin", "cast", "create", "cursor",
							"declare", "delete", "drop", "end", "exec",
							"execute", "fetch", "insert", "kill", "open",
							"select", "sys", "sysobjects", "syscolumns",
							"table", "update", "<script", "</script>", "'");
var col = new Enumerator(Request.QueryString);
var str;
for (;!col.atEnd();col.moveNext()){
	str = col.item();
	for(i=0; i<array_split_item.length; i++){
		if(Request.QueryString(str).indexOf(array_split_item[i]) >= 0){
			Response.Write("Command cannot be executed.");
			Response.End();
		}
	}
}

    p.s.It's JScript, by the way, not JavaScript.


  • #3
    adm
    Registered Users, Registered Users 2 Posts: 342 ✭✭adm


    Many Thanks.


  • #4
    biko
    Registered Users, Registered Users 2 Posts: 81,219 ✭✭✭✭biko


    Rather than a blacklist approach you could use a whitelist approach, e.g. if the string is not recognised as good then drop it and put up an error message.
    This will also hinder obfuscated strings.


  • #5
    mewso
    Moderators, Science, Health & Environment Moderators Posts: 9,054 Mod ✭✭✭✭mewso


    I would sincerely hope that the server side data access code be updated so as not to directly add querystring values to a query. This kind of checking should be unecessary when using parameterised queries or stored procedures.

    Oh and JScript is an old name Microsoft used to call their implementation of javascript. It is javascript. I think even Microsoft would call it that now.


Advertisement