Testing

1)
Enter in username: '; drop table users--
expected : should not allow as escape characters
potential : if executed, then ..the 'users' table will be deleted, denying access
to the application for all users.

2)
The attacker could log in as the first user in the 'users' table, with the
following input:
Enter in username: ' or 1=1--
expected : should not allow as escape characters
potential : if executed, then … The attacker could log in as the first user in the 'users'
table

3)
Enter in username: ' having 1=1--
expected : should not allow as escape characters
potential : if executed, then This provokes the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the
select list because it is not contained in an aggregate function and there is no GROUP
BY clause.
This will reveal attacker the table name and column name of the first column in the query.

4)
If Step 3 above is successful, Enter in username: ' group by users.id having
1=1--
expected : should not allow as escape characters
potential : if executed, then (it produces the error…)
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid
in the select list because it is not contained in either an aggregate function or the
GROUP BY clause.
This will reveal attacker the table name and column name of the second column in the query

5)
If Step 5 above is successful, Enter in username: '; begin declare @ret
varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from
users where username>@ret select @ret as ret into foo end--
expected : should not allow as escape characters
potential : if executed, then This creates a table 'foo', which contains the
single column 'ret', and puts our string into it. Normally even a low-
privileged user will be able to create a table in a sample database, or the
temporary database.
The attacker then selects the string from the table, as before:
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar
value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column
of data type int.

6)
If Step 5 above is successful, Enter in username: '; begin declare @ret
varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from
users where username>@ret select @ret as ret into foo end--
expected : should not allow as escape characters
potential : if executed, then This creates a table 'foo', which contains the
single column 'ret', and puts our string into it. Normally even a low-
privileged user will be able to create a table in a sample database, or the
temporary database.
The attacker then selects the string from the table, as before:
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar
value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column
of data type int.

7) Login to the system using Admin credentials, copy the URL, logout from admin and
login as a user. Paste the admin link in web browser and open.
expected : should not open the admin page from a user credentials
potential : if executed, then This posses a serious threat to the application where a user can
get admin access and exploit the application

8) Cross-site scripting attack: Try to insert javascript snippets in the text area.
expected : should not cause the page to break
potential : if executed, then This can cause the page to break and halt the functioning of
the website.

Developer Notes
Principle Implementation

Never trust user input Validate all textbox entries using validation
controls, regular expressions, code, and so on.
Validations should be mandatorily on server side
including checks on input data type and data
length.
Never use dynamic Use parameterized SQL or stored procedures
SQL
Never connect to a Use a limited access account to connect to the
database using an database
admin-level account
Don't store secrets in Encrypt or hash passwords and other sensitive
plain text data; you should also encrypt connection strings
Exceptions should Don't reveal too much information in error
divulge minimal messages; use customErrors to display minimal
information information in the event of unhandled error; set
debug to false