SQL Injection Protection - b.js

John Avis by | June 30, 2008 | Classic ASP Web Security

There is a automated SQL injection attack doing the rounds at the moments which injects some html (<script src=http://www.domain.com/b.js></script>) into certain fields in all the tables in a database.

If you have been attacked don't feel bad as an Internet search of "b.js" reveals tens of thousands of hacked sites.

The attack cleverly appends a series of SQL commands onto your querystrings and if your code is unprotected, and you don't use Access databases, the commands may be passed on to your SQL server and the damage done.

Considering the damage that could be done by this sort of attack, I guess we are lucky that they chose only to append their little JavaScript.

However, this attack could render your website as "unsafe" in search engine results.

Reversing the Damage

We are also extremely fortunate that the changes can be easily reversed with a few changes of the attackers original SQL commands.

Simply execute the following to clean up the damage. If you have been attacked multiple times (ie. you have multiple script blocks appended to your SQL data) then you will need to execute the following script for each attack.

Protecting against attacks

There are many methods out there to protect against this sort of attack.

The best method is to ensure that you protect every value that you pass to SQL. Strings should have a function to replace single quotes with two single quotes. Numbers should have a function that forces them to a numeric value.

The following function is a simple method which removes multiple inline SQL commands. If you issue multiple inline SQL commands in one go then obviously it will not be suitable but for everyone else it should stop any attack. This will not protect against all types of attacks however.

Parse your SQL command strings with the following syntax:

SQLCheck(sql-string-here)

Related Posts

Classic ASP

Sending email using Amazon SES with Classic ASP

by John Avis | March 21, 2017

I recently needed to change a client's website to send emails using Amazon SES and encountered a few issues.


Classic ASP

Classic ASP class constructors with parameters

by John Avis | June 8, 2016

Although probably no one cares about Classic ASP, except those who still need to support it, I was refreshing my memory today on how to use classes in Classic ASP and found a couple of options for simulating constructors with parameters.


Classic ASP

Classic ASP cookie with no name hacking attack causing error 80004005

by John Avis | July 31, 2015

As of July 2015, many of my Classic ASP websites have started logging strange errors, either 80004005 or not reporting any error code at all.

Comments

Raja

by Raja | July 14, 2008

Very useful scripts

Reply

Leave a Comment
Tags
ASP.NET Html Forms ASP.NET MVC ASP.NET Web Forms ASP.NET Web Pages Bootstrap C# Classic ASP Cool Websites Databases eBay and PayPal Electrical Repairs General Hardware HTML/CSS Jquery/Javascript Media Center Mobile Phones Responsive Web Design SEO and Social Networking Web Design Web Development Web Security web+db Website Hosting Windows XP

About me

...mostly about web development and programming, with a little bit of anything else related to the Internet, computers and technology.

Subscribe

Get the latest posts delivered to your inbox.