How to know if an ASP web page is vulnerable to SQL injection?

2017-11-20 23:43:27

I've some experiences of working with PHP web applications vulnerable to SQL injection and exploiting this type of vulnerability successfully but never tried to do this on a ASP based web application. When we try to find out if a PHP web application is vulnerable to SQL injection we usually add a single quote to the end of an input parameter like this:

http://example.com/index.php?id=1'

and if we get an error like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

we know that it's vulnerable. In some cases we get a blank page or missing some data on page which can mean that its vulnerable.

So here is my question: If I add a single quote to the end of an input parameter in an classic ASP web page and I get a blank page or miss some data on that page, does it mean that it's vulnerable to SQL injection? And is there any other ways to know if an SQL injection vuln

  • Sorry, I want to expand a bit on your thought process. It's not just an ' at the end. I mean, that's a good, quick of finding a decent percentage of the holes.

    Let me give an example of a vulnerability that this approach wouldn't find:

    url: http://www.somesite.com/page.asp?name=kevin&status=live

    --- code behind the scenes: ---

    string table = "history"

    if (status == "live") table = "current"

    string sqlCmd = "select * from " + table + " where name = '" + name + "'"

    ... see the problem? The last parameter in your url specifies the status, and the code is simply using a "is it X or not?" logic to it - it doesn't inject the actual value into the SQL statement, so it's not vulnerable. But the other parameter is inserted into the SQL statement raw - which makes it vulnerable to injection attack. So while:

    http://www.somesite.com/page.asp?name=kevin&status=live'

    ... wouldn't have an error, this would:

    http://www.somesite.com/page.asp?name=kevin'&status=live

    So, realistically,

    2017-11-21 00:08:08
  • Sql injection is sql injection. It is independent of your web framework. If the developer has not bound the parameters they are potentially vulnerable. Either of the two methods you mentioned are as likely to work on ASP as on PHP.

    However it is unlikely that the classic ASP application is using MySql, far more likely to be using Sql Server, possibly even MS Access. That will give you some more subtle differences in how to exploit any vulnerabilities that you might find.

    2017-11-21 00:08:58