Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > ASP web hackers

Reply
Thread Tools

ASP web hackers

 
 
mustcomment2003@yahoo.com
Guest
Posts: n/a
 
      04-16-2004
I have done tests for form hacking and ASP.

I can use IE to save a page locally, which has a form, to the hard
drive (file/save) then change the "action" property to the qualified
url and submit the form.

The action page picks up the POST or GET http string and works with
it...

Can anyone expound on a BEST PRACTICE for eliminating hacks in this
scenario...

I will expound on my findings as everyone else does.

Thanks.


 
Reply With Quote
 
 
 
 
Peter X
Guest
Posts: n/a
 
      04-16-2004
Curt_C [MVP] wrote:
> check the HTTP_REFERRER server variable perhaps, to ensure it's your own
> site
>


Does that help much?

Given that its very easy to falsify this, as a webmaster it provides you
with little security, and as a web site user, it means you _must_ supply
a referer.... which may not appear like a problem to you, but I myself
like to keep the referer hidden!
 
Reply With Quote
 
 
 
 
Evertjan.
Guest
Posts: n/a
 
      04-16-2004
Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:

> Curt_C [MVP] wrote:
>> check the HTTP_REFERRER server variable perhaps, to ensure it's your own
>> site
>>

>
> Does that help much?
>
> Given that its very easy to falsify this, as a webmaster it provides you
> with little security, and as a web site user, it means you _must_ supply
> a referer.... which may not appear like a problem to you, but I myself
> like to keep the referer hidden!


So it helps not complatly, but a lot!

Without the right referrer the formpost won't be processed.

btw:
I do not think it necessary to use such methods. Plan yous site,
so that a manipulated formpost does no harm.


--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Peter X
Guest
Posts: n/a
 
      04-17-2004
Evertjan. wrote:
> Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:
>
>
>>Curt_C [MVP] wrote:
>>
>>>check the HTTP_REFERRER server variable perhaps, to ensure it's your own
>>>site
>>>

>>
>>Does that help much?
>>
>>Given that its very easy to falsify this, as a webmaster it provides you
>>with little security, and as a web site user, it means you _must_ supply
>>a referer.... which may not appear like a problem to you, but I myself
>>like to keep the referer hidden!

>
>
> So it helps not complatly, but a lot!
>
> Without the right referrer the formpost won't be processed.
>


At the risk of appearing pedantic, here's an analogy:

Person A has a job where they answer a phone and perform a transaction
(writes something down, or provides information or whatever) based on
information provided by the caller.

Person B phones Person A and provides a whole load of garbage
information with the intent of subverting whatever the system is doing
(its a very open analogy!).

Exactly what is gained by having Person A ask the caller where they got
the telephone number? I mean, they might lie? Given that they're
_evil-doers_(TM), it seems fairly likely they will lie; they're like that!


So that seems to render asking for a referer useless. Better to check
that the information is within valid ranges.

> btw:
> I do not think it necessary to use such methods. Plan yous site,
> so that a manipulated formpost does no harm.
>


Agreed!

Given that the original post asked for best practice, I really think
checking referer should not be included! Not least, because it might
provide a false sense of security.


--
Best regards,

Peter.
 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      04-17-2004
Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:
>> I do not think it necessary to use such methods. Plan yous site,
>> so that a manipulated formpost does no harm.
>>

>
> Agreed!
>
> Given that the original post asked for best practice, I really think
> checking referer should not be included! Not least, because it might
> provide a false sense of security.


The other way around is usefull. [slightly off topic]

I have pages I do not want to be linked [or form-posted for that matter]
from other domains, except from a specified "sister" site, so I redeirect
to the main page if the Referrer is not my site, not the sister site and
not empty. Setting the page as a favorite/bookmark is ok by me.

This is done by an include containing:

rsref=Request.ServerVariables("HTTP_REFERER")
If rsref<>"" _
and instr(rsref,"http://mySite.org")=0 _
and instr(rsref,"http://www.sisterSite.nl")=0 Then
Response.Redirect "/"
end if

[not tested in this form]

Yes, I know that occasionally a browser does not return the referrer, but
this does not bother me as the linking of those pages is sufficiently
discouraged.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
roger
Guest
Posts: n/a
 
      04-17-2004
"Curt_C [MVP]" wrote

> check the HTTP_REFERRER server variable perhaps, to ensure it's your own
> site


You can get a few surprises if you start looking at HTTP_REFERRER ---

http://www.google.com/search?hl=en&q=wellie+wearers

http://uk.google.yahoo.com/bin/query...g+for+them&y=y

--
roger


 
Reply With Quote
 
mustcomment2003@yahoo.com
Guest
Posts: n/a
 
      04-18-2004
On Fri, 16 Apr 2004 20:32:16 GMT, http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

>I have done tests for form hacking and ASP.
>
>I can use IE to save a page locally, which has a form, to the hard
>drive (file/save) then change the "action" property to the qualified
>url and submit the form.
>
>The action page picks up the POST or GET http string and works with
>it...
>
>Can anyone expound on a BEST PRACTICE for eliminating hacks in this
>scenario...
>
>I will expound on my findings as everyone else does.
>
>Thanks.
>
>


For instance, I wrote this with VB (could be script too with minor
modifications, but I wanted to step debug, etc...) anyway, here's
some code where [word from dictionary] could be a word in websters
which changes every iteration in the loop which would function as a
"brute force" attack. OR this loop could be used just to screw the
site up and use up resources if left to loop:

Sub httphack()

'Note either of the objects below could work

'Dim myReq As MSXML2.XMLHTTP30
'Set myReq = New MSXML2.XMLHTTP30

Dim myReq As WinHttpRequest
Set myReq = New WinHttpRequest
Dim strBody As String

For hackCount = 1 To 10000000000
myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
myReq.SetRequestHeader
"Content-Type","application/x-www-form-urlencoded"
myReq.SetRequestHeader "REFERER", "[whatever]"
myReq.Option(WinHttpRequestOption_EnableRedirects) = True

strBody = "username=[word from dictionary]&password=[word from
dictionary]"

myReq.Send strBody
res = myReq.ResponseText

if res <> [the typical error return or page text] THEN
[it must be a redirect or something]
[save the user name and password and try to log in with them]
end if

Next
End Sub

HANDLER.ASP file:
<%=response.write(request.form("username")%>
<%=response.write(request.form("password")%>

END HANDLER.ASP file

Please comment on the general threat of this simple code... I have
several ideas about protecting against it, but I'm interested in
various input at this time... go ahead and try it out if you have VB
or adapt it to script and try it. I'm currently building an
e-commerce web site and I'm very worried about this type of threat.





 
Reply With Quote
 
mustcomment2003@yahoo.com
Guest
Posts: n/a
 
      04-18-2004
On Fri, 16 Apr 2004 20:32:16 GMT, (E-Mail Removed) wrote:

>I have done tests for form hacking and ASP.
>
>I can use IE to save a page locally, which has a form, to the hard
>drive (file/save) then change the "action" property to the qualified
>url and submit the form.
>
>The action page picks up the POST or GET http string and works with
>it...
>
>Can anyone expound on a BEST PRACTICE for eliminating hacks in this
>scenario...
>
>I will expound on my findings as everyone else does.
>
>Thanks.
>
>


If this goes out twice as a separate thread, I appoligize. Thanks:

For instance, I wrote this with VB (could be script too with minor
modifications, but I wanted to step debug, etc...) anyway, here's
some code where [word from dictionary] could be a word in websters
which changes every iteration in the loop which would function as a
"brute force" attack. OR this loop could be used just to screw the
site up and use up resources if left to loop:

Sub httphack()

'Note either of the objects below could work

'Dim myReq As MSXML2.XMLHTTP30
'Set myReq = New MSXML2.XMLHTTP30

Dim myReq As WinHttpRequest
Set myReq = New WinHttpRequest
Dim strBody As String

For hackCount = 1 To 10000000000
myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
myReq.SetRequestHeader
"Content-Type","application/x-www-form-urlencoded"
myReq.SetRequestHeader "REFERER", "[whatever]"
myReq.Option(WinHttpRequestOption_EnableRedirects) = True

strBody = "username=[word from dictionary]&password=[word from
dictionary]"

myReq.Send strBody
res = myReq.ResponseText

if res <> [the typical error return or page text] THEN
[it must be a redirect or something]
[save the user name and password and try to log in with them]
end if

Next
End Sub

HANDLER.ASP file:
<%=response.write(request.form("username")%>
<%=response.write(request.form("password")%>

END HANDLER.ASP file

Please comment on the general threat of this simple code... I have
several ideas about protecting against it, but I'm interested in
various input at this time... go ahead and try it out if you have VB
or adapt it to script and try it. I'm currently building an
e-commerce web site and I'm very worried about this type of threat.


 
Reply With Quote
 
Chris Barber
Guest
Posts: n/a
 
      04-18-2004
Running from a single machine will hardly - if ever- constitute a real
threat in terms of trying to induce a DOS style attack (eg. take the site
off the net) - these generally have to use multiple sites all synchronously
targeting a single point of attack (eg. SYN flood and normal synchronous
page requests). The reason being that you will be limited by your own
bandwidth before you even touch that of a commercial site.
The real possibility is that you might be able to hack into a site and
compromise it's security by means of either a webserver hole (or
vulnerability), SQL injection (a real threat which can be overcome by simply
using stored procedures or being very very careful with the SQL statements)
or auto-incrementing counters that don't use GUIDs allowing someone to
predict or reuse existing and new session / user identifiers.

There will be more but in general terms the three 'real' hack modes
mentioned are the most common and certainly the easiest to secure against.

Chris.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed). ..
On Fri, 16 Apr 2004 20:32:16 GMT, (E-Mail Removed) wrote:

>I have done tests for form hacking and ASP.
>
>I can use IE to save a page locally, which has a form, to the hard
>drive (file/save) then change the "action" property to the qualified
>url and submit the form.
>
>The action page picks up the POST or GET http string and works with
>it...
>
>Can anyone expound on a BEST PRACTICE for eliminating hacks in this
>scenario...
>
>I will expound on my findings as everyone else does.
>
>Thanks.
>
>


For instance, I wrote this with VB (could be script too with minor
modifications, but I wanted to step debug, etc...) anyway, here's
some code where [word from dictionary] could be a word in websters
which changes every iteration in the loop which would function as a
"brute force" attack. OR this loop could be used just to screw the
site up and use up resources if left to loop:

Sub httphack()

'Note either of the objects below could work

'Dim myReq As MSXML2.XMLHTTP30
'Set myReq = New MSXML2.XMLHTTP30

Dim myReq As WinHttpRequest
Set myReq = New WinHttpRequest
Dim strBody As String

For hackCount = 1 To 10000000000
myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
myReq.SetRequestHeader
"Content-Type","application/x-www-form-urlencoded"
myReq.SetRequestHeader "REFERER", "[whatever]"
myReq.Option(WinHttpRequestOption_EnableRedirects) = True

strBody = "username=[word from dictionary]&password=[word from
dictionary]"

myReq.Send strBody
res = myReq.ResponseText

if res <> [the typical error return or page text] THEN
[it must be a redirect or something]
[save the user name and password and try to log in with them]
end if

Next
End Sub

HANDLER.ASP file:
<%=response.write(request.form("username")%>
<%=response.write(request.form("password")%>

END HANDLER.ASP file

Please comment on the general threat of this simple code... I have
several ideas about protecting against it, but I'm interested in
various input at this time... go ahead and try it out if you have VB
or adapt it to script and try it. I'm currently building an
e-commerce web site and I'm very worried about this type of threat.






 
Reply With Quote
 
Ken Schaefer
Guest
Posts: n/a
 
      04-18-2004
Validate all your input on the server side. Then it doesn't matter what they
do to mess with your form. Assume that all input is not to be trusted, and
the validate it against a set of known valid values.

http://www.adopenstatic.com/resource...Validation.asp

Cheers
Ken


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
: I have done tests for form hacking and ASP.
:
: I can use IE to save a page locally, which has a form, to the hard
: drive (file/save) then change the "action" property to the qualified
: url and submit the form.
:
: The action page picks up the POST or GET http string and works with
: it...
:
: Can anyone expound on a BEST PRACTICE for eliminating hacks in this
: scenario...
:
: I will expound on my findings as everyone else does.
:
: Thanks.
:
:


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hackers Johnkelly Firefox 1 07-21-2005 01:05 AM
Securing data against theft of the server or hackers Nick Gilbert ASP .Net 7 05-31-2004 12:43 AM
Research into Hackers / Hacking etc.. *** HAWK Computer Support 6 02-02-2004 12:06 AM
Could aspnet_wp.exe recycle be due to hackers? ringo ASP .Net 4 01-16-2004 05:26 PM



Advertisments