Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

vbscript to javascript

  • 21-10-2008 03:09PM
    #1
    adm
    Registered Users, Registered Users 2 Posts: 342 ✭✭


    Hi i just been handed a terrible old classic asp site thats been hit with xss attacks.

    i found somewhere this code in vbscript to help protect sites but my site uses
    javascipt as it's server side language so i was wondering if
    anyone who knew javascript better than I could convert the vbscript or
    show me something similar i could use with javascript.
    It's basically checks the querystring for dubious content.
    vbscript is:
    ' Code for preventing SQL Injection

array_split_item = Array("–", ";", "/*", "*/", "@@", "@",

                  "char", "nchar", "varchar", "nvarchar",

                  "alter", "begin", "cast", "create", "cursor",

                  "declare", "delete", "drop", "end", "exec",

                  "execute", "fetch", "insert", "kill", "open",

                  "select", "sys", "sysobjects", "syscolumns",

                  "table", "update", "<script", "</script>", "'")

for each item in Request.QueryString

    for array_counter = lbound(array_split_item) to ubound(array_split_item)

       

        item_postion1 = InStr(lcase(Request(item)),array_split_item(array_counter))

        'Response.Write(array_split_item(array_counter) & "<br>")

       

        if item_postion1 > 0  then

            Response.Write("Command cannot be executed.")

            Response.End()

        end if

    next

next


Comments

  • #2
    none
    Registered Users, Registered Users 2 Posts: 569 ✭✭✭none


    Try something along these lines (main difference in curly braces and semicolns):
    var array_split_item = new Array("&#8211;", ";", "/*", "*/", "@@", "@",
							"char", "nchar", "varchar", "nvarchar",
							"alter", "begin", "cast", "create", "cursor",
							"declare", "delete", "drop", "end", "exec",
							"execute", "fetch", "insert", "kill", "open",
							"select", "sys", "sysobjects", "syscolumns",
							"table", "update", "<script", "</script>", "'");
var col = new Enumerator(Request.QueryString);
var str;
for (;!col.atEnd();col.moveNext()){
	str = col.item();
	for(i=0; i<array_split_item.length; i++){
		if(Request.QueryString(str).indexOf(array_split_item[i]) >= 0){
			Response.Write("Command cannot be executed.");
			Response.End();
		}
	}
}

    p.s.It's JScript, by the way, not JavaScript.


  • #3
    adm
    Registered Users, Registered Users 2 Posts: 342 ✭✭adm


    Many Thanks.


  • #4
    biko
    Registered Users, Registered Users 2 Posts: 81,060 ✭✭✭✭biko


    Rather than a blacklist approach you could use a whitelist approach, e.g. if the string is not recognised as good then drop it and put up an error message.
    This will also hinder obfuscated strings.


  • #5
    mewso
    Moderators, Science, Health & Environment Moderators Posts: 9,206 Mod ✭✭✭✭mewso


    I would sincerely hope that the server side data access code be updated so as not to directly add querystring values to a query. This kind of checking should be unecessary when using parameterised queries or stored procedures.

    Oh and JScript is an old name Microsoft used to call their implementation of javascript. It is javascript. I think even Microsoft would call it that now.


Advertisement