Tuesday, April 1, 2008

JavaScript Code to protect against injection attacks

Description:

This code uses a simple regular expression to check if the user input contains any characters which might enable SQL injection attacks or Cross Site scripting attacks.

The code checks all the textarea and the input tags in the form tag and checks if the value entered by the user contains on of the special character matching the regular expression:
[\^\$\(\)\<\>\|\\\}\{\]\[\*\?%&\+\'@]

Usage:
  • Add the following line as the first line after beginning your form tag - <INPUT TYPE="hidden" NAME="regex" id="regex" VALUE="[\^\$\(\)\<\>\|\\\}\{\]\[\*\?%&\+\'@]" SIZE=50>. I could have declared this regular expression in the javascript itself, but for some reason, javascript could'nt find the any match if the match occurred at index 0, N This way seems to work for me.

  • Create an div element with id error -
  • <div id="error" align="center" style="background-color:#FF0000; color:#FFFFFF; display:block; width:inherit "> </div> <br />
    . You need this cas my script does getElementById('error').innerHTML to display the error message.

  • Call this script onSubmit. For example: <form method="post" name="frmEditAccount" action="../modules/processEditProfile.php" id="frmEditAccount" onSubmit="return inputValidation(frmEditAccount)">
    Here the onSubmit event calls the function inputValidation(frmEditAccount), cas I have doing some more validation besides just the security check. Thus my defination of inputValidation will look like.
    • function inputValidation(frm)
    {
    if(!securityCheck())
    {
    return false;
    }
    else
    {
    return validateEditProfile(frm);
    }
    }
    • Include the javascript file -
    • <script language="javascript" type="text/javascript" src="/modules/securityCheck.js">
      </script>


    • The only way this code can fail is, if someone has javascript disabled, I didn't had much time to figure out, how to detect if javascript is enabled on a browser, but If I find something I will be adding it to this script.
    • This code is working for the following forms:
    userRegistration, editProfile, projectCreate, and for the userHomePage, i.e. for the Search.

    I have pasted the code below. Please email me if you have any problems using the code.

    One more thing, debugging a JavaScript code is a developer's night mare, cas you have to completely depend on the browser. So if you are thinking of debugging a javascript code try using Firefox with a web developer extension, this will install a nice toolbar on firefox, n you can check various kind of errors, like JavaScript error, CSS error, etc...

    Please do not attempt to modify this code on the UITS server. If you think it is an important modification let me know about it.

    //JavaScript Document
    /*#########################################
    Author:Saurabh Ajmera
    Date:02/16/2008
    Description:This function does some security check, no special characters allowed!!
    ###########################################*/

    function isInputSecure(value)
    {
    //lets trim the extra space
    //alert('I am in..');
    var re;
    re = new RegExp(document.getElementById('regex').value);
    //alert(value.match(re))?0:1);
    return (value.match(re))?0:1

    }

    function securityCheck()
    {
    //alert("checkin..");
    //alert(document.getElementById(id).value);
    //if(!isInputSecure(document.getElementById(id).value))
    //{
    //var inputCount = document.evaluate("count(//input)", document, null, XPathResult.ANY_TYPE, null).numberValue;
    //alert("This document contains " + inputCount + " input tags");

    var j = 0;

    while(document.getElementsByTagName('textarea')[j++])
    {
    //alert(document.getElementsByTagName('textarea')[j-1].value);
    if(!isInputSecure(document.getElementsByTagName('textarea')[j-1].value))
    {
    //document.getElementsByTagName('input')[i]
    //alert(document.getElementsByTagName('textarea')[0].value);
    document.getElementById('error').innerHTML = 'For security reasons, you cannot enter the following characters as input:\n ^ $ ( ) < > | \ } { ] [ * ? % & + \' @ ] ';
    //alert("For security seasons, you cannot the following characters as input:\n ^ $ ( ) < > | \ } { ] [ * ? % & + ' @ ] ");
    return false;
    }
    //j++;
    }
    var i = 0;
    while(document.getElementsByTagName('input')[i])
    {
    //for(var i=0;i<=inputCount;i++) //{ //alert(document.getElementsByTagName('input')[i].value); if((!isInputSecure(document.getElementsByTagName('input')[i].value)) && (document.getElementsByTagName('input')[i].type != 'hidden')) { //document.getElementsByTagName('input')[i] document.getElementById('error').innerHTML = 'For security reasons, you cannot enter the following characters as input:\n ^ $ ( ) < > | \ } { ] [ * ? % & + \' @ ] ';
    //alert("For security seasons, you cannot the following characters as input:\n ^ $ ( ) < > | \ } { ] [ * ? % & + ' @ ] ");
    return false;
    }
    i++;


    }
    return true;



    }
Posted by at 12:59 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)