Lost in the Cyber Abyss: Code – Cyber – InfoSec – OSINT – Page 58

Today I’m writing about getting experience in web application security.

If you want to learn application security, you can find most of the tools for free online. You will need to setup a virtual lab environment from which to learn because most of what you’re learning is illegal to do in the real world.
Here are a list of related videos to help you if you’re interested in getting started in the world of web application security.

1. Download and install Virtualbox. Go to YouTube and find a couple of videos on how to install and configure Virtualbox. You will need Virtualbox for creating and managing your virtual computers for your test environment. I’ve included a video on setting up the network configuration for your Virturalbox testing lab so your test computers can all communicate and hack each other.

Video: Configuring Network Settings for your Virtual Box test environment (NAT, Bridged and Internal Networking)

Video: How to Install Kali Linux in Virtual Box

2. Learn what tools IT security professionals use. In this case, learn about Kali Linux and Burpsuite.

Video: How to install Burp-Suite Free Edition

3. Learn about OWASP and the Buggy Web Application (BWAPP) project and get your free virtual PC images for testing.

You may need this video if you end up running sqlmap on your Windows PC. Needs Python 2.7 installed for it to work.

Video: How to Install SQLMap on Windows OS

Download the bee-box virtual machine (VM) image file from SourceForge.net.

Video: Web Application PenTest w/ the Buggy Web App Project (BWAPP)

4. Find as many web application security videos and courses as you can and try out their techniques.

I’m a professional web developer who has spent 20+ years working in Classic ASP.

I work in modern stacks too but I still actively develop in Classic ASP on a side hustle project that is too expensive to re-write at this time.

This article focuses on an example of classic ASP SQL injection prevention using a basic parameterized query done in Classic ASP VBScript.

I’ve included links to all my references below.

Please note the first code example won’t work without translation of the ADO property, “adCmdText”, constant.

You can find the “adCmdText” reference in the adovbs.inc (include file) that contains all the ADO Constants we use for commands like the “adCmdText”. None of the other sources mentioned that at all.

I’ve added a second code example that should allow you to ditch the need for the include file and just enter an enumeration of the CommandType.

ADOVBS.INC Example: 

'---- CommandTypeEnum Values ----
Const adCmdUnknown = &H0008
Const adCmdText = &H0001
Const adCmdTable = &H0002
Const adCmdStoredProc = &H0004

<%
 set rs = Server.CReateObject("ADODB.Recordset")
 set cmd1  = Server.CreateObject("ADODB.Command")
 Set conn = Server.CreateObject("ADODB.Connection")
 conn.Open [Connection String Value]
 cmd1.ActiveConnection = conn //connection object already created
 cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
 cmd1.CommandType = adCmdText
 'cmd1.Prepared = True ' only needed if u plan to reuse this command often
 cmd1.Parameters.Refresh
 cmd1.Parameters(0).Value = "55"
 set rs = cmd1.Execute
 While NOT rs.eof
  Response.Write(rs("ID") & "
")
  rs.MoveNext
 Wend
 Set rs = Nothing
 Set conn = Nothing
%>
Can also be written replacing constant adCmdText with acceptable enumeration of 1 for the CommandType.
<%
set rs = Server.CReateObject("ADODB.Recordset")
set cmd1  = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open [Connection String Value]
cmd1.ActiveConnection = conn //connection object already created
cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
cmd1.CommandType = 1
'cmd1.Prepared = True ' only needed if u plan to reuse this command often
cmd1.Parameters.Refresh
cmd1.Parameters(0).Value = "55"
set rs = cmd1.Execute
While NOT rs.eof
    Response.Write(rs("ID") & "
")
    rs.MoveNext
Wend
Set rs = Nothing
Set conn = Nothing
%>