 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
|
| | ||
| 0 users currently in The Pit of Despair. |
| Acmlm's Board - I3 Archive - The Pit of Despair - Database hacking prevention |
New poll |  | Thread closed |
| Add to favorites | Next newer thread | Next older thread |
| User | Post | ||
Zer0wned Koopa                  Since: 12-09-05 From: Torrance, ca Last post: 6454 days Last view: 6454 days |
| ||
| I'm going to be doing some programming for my uncle for a rather delicate service (it involves controlled opiate-based and other risky medications that people would want to gain illegal access to, however, everything we do is legitimate).
I just need to know what sort of attacks I need to know how to protect myself from. I know how to help prevent SQL injection, and my boss has implemented (or is going to implement) encrypted URL parameters to prevent people from attempting to screw around that way (so something like http://sitename.com/default.asp?SAW822=334JKBB6HJB instead of http://sitename.com/default.asp?patientid=1013). Are there any other possible vulnerabilities you guys are familiar with that I should look into? He uses a windows 2000 SP4/MSSQL 2000 combination, and ASP (not ASP.NET) as the dynamic web programming language. And I haven't heard anything about spam user accounts, so I think that's also already taken care of. Even if it's something you're aware of for PHP (because I know there's considerably more people familiar with PHP here), it might also cross over to ASP, since they're both ASTs that utilize a SQL-type database. And a quick note- I won't be disclosing the site's name, so don't ask, but you can ask other relevant information if it helps. |
|||
Sukasa Birdo Not quite as active as before. Xkeeper supporter Xk > ||bass I IP Banned myself! Twice!   Since: 11-17-05 From: Somewhere over there Last post: 6298 days Last view: 6297 days |
| ||
| Umm... Make sure any forms on your page have maxlength amounts (or somehting like that), otherwise you could be open to buffer overrun attacks I believe.
Ummm. . completely diable all remote administration if you can... I think that's another big backdoor. |
|||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828  Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6297 days Last view: 6297 days |
| ||
Originally posted by Sukasa + Remember the #1 rule of security: NEVER trust user input. A browser can easily be hacked to ignore maxlength attributes (hell, I have them stripped out with Proxomitron). Use them, but do server-side length checking as well. Same goes for everything that comes back from the user, even if you don't immediately realize it can be edited - don't assume that just because your radio buttons have numeric values that you will necessarily get a numeric value for that field, for example. Even things like the browser's user agent string can be dangerous. |
|||
|
Zer0wned Koopa Since: 12-09-05 From: Torrance, ca Last post: 6454 days Last view: 6454 days |
| ||
| Right, I've read that a hacker can just create your own, local HTML page, and just start submitting custom values by putting in the full URL like: "form action="http://sitename.com/page.asp" " instead of the relative one (form action="page.asp")... scary stuff.
I do some checking in a redirected page (done by a response.redirect command, which is server-side, as a result they can't know the page name of the page doing the checking), so they can't bypass the checks. To make the following make the most sense, imagine I'm using the following pages: Page with Forms to receive input, checks for input existance only Page with Character type/length/injection check, and the SQL statement Generic error page for unexpected errors I set the form action to its own page, and then do a few if-then statements that check for the existance of all of the required parameters, and if all the parameters pass, it goes to the injection checking/submitting page. If my logic is correct, since the two redirects (to and out of the check/submit query page, or to the check/submit query page and back to the page with the forms if an error occurs) are server-side, they can't know the name of the checking page (from my experience it never shows it in the url or the history, and I can't go back to it in the browser), which seems like a good practice, moreso for performance (reduces the code needed to be compiled and filesize on the page with the forms) than security (but it adds to it, it seems like). Anyway, I didn't think about buffer overruns, thanks for reminding me Hypermackerel, because I think I've only been using HTML checking for length. I also just thought that I should start doing this thing I learned where you put some kind of variable "ERROR" before the SQL statement, and it accumulates error occurances during the SQL statement, so if and error does occur (like say if the SQL server is down), I can create a declare ERROR variable and set to zero create sql statement submit sql statement if error count does not equal zero then redirect to a generic error page end if statement type of thing to check for errors, so in the even in the event of a downed server or other similar problem, the ASP coding will prevent them from getting any juicy info given by the error output. (once I figure out the exact code for that pseudocode in ASP I'll add it after, but keep the other stuff so people that don't know ASP can still kinda understand what I'm taking about) And Sukasa, could you specify what you mean by remote administration? Because if you mean what I think you do, that's pretty much impossible, considering the physical distance of the servers, and a few other reasons. |
|||
|
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6297 days Last view: 6297 days |
| ||
Remote administration can be things like VNC, Remote Desktop, etc.
Originally posted by Zer0wned Yeah, you can do that, or you can (like I mentioned above) have a filtering proxy alter the page being sent to the browser and/or the HTTP requests going in and out, or just open up Netcat and start entering HTTP requests manually.
I don't think that's the way to do it. A redirect command probably just sends back an HTTP response telling the browser to go to whatever other page. Again, a filtering proxy or similar could bypass this. What you should be doing is including a file (like with include() in PHP) to do this. |
|||
|
Sukasa Birdo Not quite as active as before. Xkeeper supporter Xk > ||bass I IP Banned myself! Twice! Since: 11-17-05 From: Somewhere over there Last post: 6298 days Last view: 6297 days |
| ||
| Yeah, response.redirect WILL show the redirected URL in the address bar. Just rememebr to check the lengths of the input strings too. | |||
Boom.dk Since: 11-18-05 From: Denmark Last post: 6315 days Last view: 6296 days |
| ||
| Any redirect commands would simply send a HTTP header to the browser telling it to go to whatever page you want it to.
Edit: Also, why even make it check on a different page? If it validates the input in the same script as it handles them, it wouldn't be possible to "skip" them. (edited by Boom.dk on 08-01-06 07:25 PM) |
|||
|
Zer0wned Koopa Since: 12-09-05 From: Torrance, ca Last post: 6454 days Last view: 6454 days |
| ||
| actually, I just found out that server.transfer is 100% server-side, but is unable to transfer off-site.
Come to think of it, I can only see a two-page check being useful for a very error-prone userbase, by separating the more common types of mistakes, so the SQL and less-common-error-check code doesn't need to be compiled. (and if I remember correctly, most people make dumb mistakes on online forms most of the time) With what you guys said plus my own doubts in the first place as to the usefulness of the redirected secondary checking page in the first place, there's no added security benefit, or code manageability benefit that include files mentioned by hypermackerel can't accomplish (done by  !--include file="file.asp"--  ... assuming that the faces are those pointy brackets (I kept getting an error =/ ) ) .
So it'd be worth finding out if simple (e.i. required field omission) errors are made commonly enough to constitute the separation (or finding out if include files are more secure). For the remote administration, the boss travels a lot, so removal of such isn't really an option. Is GoToMyPC pretty secure as far as remote administration goes? |
| Add to favorites | Next newer thread | Next older thread |
| Acmlm's Board - I3 Archive - The Pit of Despair - Database hacking prevention |
| Thread closed |
