by      

ASP SQL Plus XCtM Xtreme Computer Tracking and Monitoring via ASP Coding

The XCtM was created to collect data on the newest trends in URL hacking and SQL Injection. 

The basic idea behind the code is this. 
You know all your query variables. Anytime something doesn't match it's recorded, scanned, looked at, reported again, banned just to be safe and banned again if safe isn't good enough. 

I have always told my friends, clients and researchers

"When in Doubt, Block it Out"

With that in mind let me start with the basics.

No matter what you do online you'll have GET and POST requests at some point.
Even if it's a simple CDO email or a cookie created and set or SQL table saves. We will always have GET and POST.

For every GET and POST you have set indexes or fields. Each field can store any type of value you require. If you read my ASP SQL Encode - Decode, ASP QueryString Split, ASP SQL Checksum length, you are going to be ahead of the game here.

If you use RE= as your only GET Query and the expected value is a number 1-9 you have only to check to see if the value is a numeric value. 

If IsNumeric(Request.QueryString("RE")) Then

Or 

If IsNumeric(Request.Form("RE")) Then

I wish it was that simple but that's how we start one form, one query, one SQL table at a time. 

Let's get started on how we collect our strings and how we split them so we can handle them correctly. 

We need to start with our Encoding practices. This is important because we need the full string that is sent and we need it in it's RAW format before we clean it or check it for SQL Injection. 

 

If you have your Encode - Decode standards sent you can create simple "Match" words using the offset. Let's say you need to find those nasty HEX injections. What does every HEX injection have? (Tick, tick, tick,) times up, it's 0x . That's it, 0x, simple and all you have to do is not allow anything value to use 0x or if it does it's going to be subject to the following .... BANNED

The Code here has a flow, it's going to check based on activity. When I code eCommerce I have a counter that tells me how many "Clicks" to checkout and how many "Pages" viewed prior to checkout. I found that IP addresses not in my visited list that hit a product page then go directly to checkout were more suspect. If you know the project and are looking for the best price and know me then maybe but I have never had a "Human" land on a product then purchase it without viewing at least one other page. Your site might be different and that's all good but I'm talking about my code and my sites for now. So, if the pattern is suspect you record and monitor.

Please keep in mind the code elements were added on a "As Needed" bases. When SideWiki hit the playing field I had to develop a SideWiki Live Post detection process due to the fact you could post and share from any non-existent webpage. (See my SideWiki articles) 

Table names, locations, and other items have been changed to protect very odd programming practices at times.

 

XCtM QueryString

Monday Jan 19 2015
The XCtM QueryString SQL Injection check is a string detect or VBCompare to character or string of characters. What makes it unique is the encoding and decoding so to be used within the SQL DB itself. We encode known SQL Injection strings into a database and the first function of every page is to check any and all strings against known injection strings.

XCtM Module 1 API Validate


 

 

When you need to know more than you really want to know this code is the perfect starting place. The XCtM Project which started about 1998 allows classic ASP on IIS to monitor activity and detect anything and everything not inline with your sites code.