ASP web hackers

Discussion in 'ASP General' started by mustcomment2003@yahoo.com, Apr 16, 2004.

  1. Guest

    I have done tests for form hacking and ASP.

    I can use IE to save a page locally, which has a form, to the hard
    drive (file/save) then change the "action" property to the qualified
    url and submit the form.

    The action page picks up the POST or GET http string and works with
    it...

    Can anyone expound on a BEST PRACTICE for eliminating hacks in this
    scenario...

    I will expound on my findings as everyone else does.

    Thanks.
    , Apr 16, 2004
    #1
    1. Advertising

  2. Peter X Guest

    Curt_C [MVP] wrote:
    > check the HTTP_REFERRER server variable perhaps, to ensure it's your own
    > site
    >


    Does that help much?

    Given that its very easy to falsify this, as a webmaster it provides you
    with little security, and as a web site user, it means you _must_ supply
    a referer.... which may not appear like a problem to you, but I myself
    like to keep the referer hidden!
    Peter X, Apr 16, 2004
    #2
    1. Advertising

  3. Evertjan. Guest

    Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:

    > Curt_C [MVP] wrote:
    >> check the HTTP_REFERRER server variable perhaps, to ensure it's your own
    >> site
    >>

    >
    > Does that help much?
    >
    > Given that its very easy to falsify this, as a webmaster it provides you
    > with little security, and as a web site user, it means you _must_ supply
    > a referer.... which may not appear like a problem to you, but I myself
    > like to keep the referer hidden!


    So it helps not complatly, but a lot!

    Without the right referrer the formpost won't be processed.

    btw:
    I do not think it necessary to use such methods. Plan yous site,
    so that a manipulated formpost does no harm.


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
    Evertjan., Apr 16, 2004
    #3
  4. Peter X Guest

    Evertjan. wrote:
    > Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:
    >
    >
    >>Curt_C [MVP] wrote:
    >>
    >>>check the HTTP_REFERRER server variable perhaps, to ensure it's your own
    >>>site
    >>>

    >>
    >>Does that help much?
    >>
    >>Given that its very easy to falsify this, as a webmaster it provides you
    >>with little security, and as a web site user, it means you _must_ supply
    >>a referer.... which may not appear like a problem to you, but I myself
    >>like to keep the referer hidden!

    >
    >
    > So it helps not complatly, but a lot!
    >
    > Without the right referrer the formpost won't be processed.
    >


    At the risk of appearing pedantic, here's an analogy:

    Person A has a job where they answer a phone and perform a transaction
    (writes something down, or provides information or whatever) based on
    information provided by the caller.

    Person B phones Person A and provides a whole load of garbage
    information with the intent of subverting whatever the system is doing
    (its a very open analogy!).

    Exactly what is gained by having Person A ask the caller where they got
    the telephone number? I mean, they might lie? Given that they're
    _evil-doers_(TM), it seems fairly likely they will lie; they're like that!


    So that seems to render asking for a referer useless. Better to check
    that the information is within valid ranges.

    > btw:
    > I do not think it necessary to use such methods. Plan yous site,
    > so that a manipulated formpost does no harm.
    >


    Agreed!

    Given that the original post asked for best practice, I really think
    checking referer should not be included! Not least, because it might
    provide a false sense of security.

    :)
    --
    Best regards,

    Peter.
    Peter X, Apr 17, 2004
    #4
  5. Evertjan. Guest

    Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:
    >> I do not think it necessary to use such methods. Plan yous site,
    >> so that a manipulated formpost does no harm.
    >>

    >
    > Agreed!
    >
    > Given that the original post asked for best practice, I really think
    > checking referer should not be included! Not least, because it might
    > provide a false sense of security.


    The other way around is usefull. [slightly off topic]

    I have pages I do not want to be linked [or form-posted for that matter]
    from other domains, except from a specified "sister" site, so I redeirect
    to the main page if the Referrer is not my site, not the sister site and
    not empty. Setting the page as a favorite/bookmark is ok by me.

    This is done by an include containing:

    rsref=Request.ServerVariables("HTTP_REFERER")
    If rsref<>"" _
    and instr(rsref,"http://mySite.org")=0 _
    and instr(rsref,"http://www.sisterSite.nl")=0 Then
    Response.Redirect "/"
    end if

    [not tested in this form]

    Yes, I know that occasionally a browser does not return the referrer, but
    this does not bother me as the linking of those pages is sufficiently
    discouraged.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
    Evertjan., Apr 17, 2004
    #5
  6. roger Guest

    roger, Apr 17, 2004
    #6
  7. Guest

    Re: ASP web hackers : Further discussion

    On Fri, 16 Apr 2004 20:32:16 GMT, wrote:

    >I have done tests for form hacking and ASP.
    >
    >I can use IE to save a page locally, which has a form, to the hard
    >drive (file/save) then change the "action" property to the qualified
    >url and submit the form.
    >
    >The action page picks up the POST or GET http string and works with
    >it...
    >
    >Can anyone expound on a BEST PRACTICE for eliminating hacks in this
    >scenario...
    >
    >I will expound on my findings as everyone else does.
    >
    >Thanks.
    >
    >


    For instance, I wrote this with VB (could be script too with minor
    modifications, but I wanted to step debug, etc...) anyway, here's
    some code where [word from dictionary] could be a word in websters
    which changes every iteration in the loop which would function as a
    "brute force" attack. OR this loop could be used just to screw the
    site up and use up resources if left to loop:

    Sub httphack()

    'Note either of the objects below could work

    'Dim myReq As MSXML2.XMLHTTP30
    'Set myReq = New MSXML2.XMLHTTP30

    Dim myReq As WinHttpRequest
    Set myReq = New WinHttpRequest
    Dim strBody As String

    For hackCount = 1 To 10000000000
    myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
    myReq.SetRequestHeader
    "Content-Type","application/x-www-form-urlencoded"
    myReq.SetRequestHeader "REFERER", "[whatever]"
    myReq.Option(WinHttpRequestOption_EnableRedirects) = True

    strBody = "username=[word from dictionary]&password=[word from
    dictionary]"

    myReq.Send strBody
    res = myReq.ResponseText

    if res <> [the typical error return or page text] THEN
    [it must be a redirect or something]
    [save the user name and password and try to log in with them]
    end if

    Next
    End Sub

    HANDLER.ASP file:
    <%=response.write(request.form("username")%>
    <%=response.write(request.form("password")%>

    END HANDLER.ASP file

    Please comment on the general threat of this simple code... I have
    several ideas about protecting against it, but I'm interested in
    various input at this time... go ahead and try it out if you have VB
    or adapt it to script and try it. I'm currently building an
    e-commerce web site and I'm very worried about this type of threat.
    , Apr 18, 2004
    #7
  8. Guest

    On Fri, 16 Apr 2004 20:32:16 GMT, wrote:

    >I have done tests for form hacking and ASP.
    >
    >I can use IE to save a page locally, which has a form, to the hard
    >drive (file/save) then change the "action" property to the qualified
    >url and submit the form.
    >
    >The action page picks up the POST or GET http string and works with
    >it...
    >
    >Can anyone expound on a BEST PRACTICE for eliminating hacks in this
    >scenario...
    >
    >I will expound on my findings as everyone else does.
    >
    >Thanks.
    >
    >


    If this goes out twice as a separate thread, I appoligize. Thanks:

    For instance, I wrote this with VB (could be script too with minor
    modifications, but I wanted to step debug, etc...) anyway, here's
    some code where [word from dictionary] could be a word in websters
    which changes every iteration in the loop which would function as a
    "brute force" attack. OR this loop could be used just to screw the
    site up and use up resources if left to loop:

    Sub httphack()

    'Note either of the objects below could work

    'Dim myReq As MSXML2.XMLHTTP30
    'Set myReq = New MSXML2.XMLHTTP30

    Dim myReq As WinHttpRequest
    Set myReq = New WinHttpRequest
    Dim strBody As String

    For hackCount = 1 To 10000000000
    myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
    myReq.SetRequestHeader
    "Content-Type","application/x-www-form-urlencoded"
    myReq.SetRequestHeader "REFERER", "[whatever]"
    myReq.Option(WinHttpRequestOption_EnableRedirects) = True

    strBody = "username=[word from dictionary]&password=[word from
    dictionary]"

    myReq.Send strBody
    res = myReq.ResponseText

    if res <> [the typical error return or page text] THEN
    [it must be a redirect or something]
    [save the user name and password and try to log in with them]
    end if

    Next
    End Sub

    HANDLER.ASP file:
    <%=response.write(request.form("username")%>
    <%=response.write(request.form("password")%>

    END HANDLER.ASP file

    Please comment on the general threat of this simple code... I have
    several ideas about protecting against it, but I'm interested in
    various input at this time... go ahead and try it out if you have VB
    or adapt it to script and try it. I'm currently building an
    e-commerce web site and I'm very worried about this type of threat.
    , Apr 18, 2004
    #8
  9. Chris Barber Guest

    Re: ASP web hackers : Further discussion

    Running from a single machine will hardly - if ever- constitute a real
    threat in terms of trying to induce a DOS style attack (eg. take the site
    off the net) - these generally have to use multiple sites all synchronously
    targeting a single point of attack (eg. SYN flood and normal synchronous
    page requests). The reason being that you will be limited by your own
    bandwidth before you even touch that of a commercial site.
    The real possibility is that you might be able to hack into a site and
    compromise it's security by means of either a webserver hole (or
    vulnerability), SQL injection (a real threat which can be overcome by simply
    using stored procedures or being very very careful with the SQL statements)
    or auto-incrementing counters that don't use GUIDs allowing someone to
    predict or reuse existing and new session / user identifiers.

    There will be more but in general terms the three 'real' hack modes
    mentioned are the most common and certainly the easiest to secure against.

    Chris.

    <> wrote in message
    news:...
    On Fri, 16 Apr 2004 20:32:16 GMT, wrote:

    >I have done tests for form hacking and ASP.
    >
    >I can use IE to save a page locally, which has a form, to the hard
    >drive (file/save) then change the "action" property to the qualified
    >url and submit the form.
    >
    >The action page picks up the POST or GET http string and works with
    >it...
    >
    >Can anyone expound on a BEST PRACTICE for eliminating hacks in this
    >scenario...
    >
    >I will expound on my findings as everyone else does.
    >
    >Thanks.
    >
    >


    For instance, I wrote this with VB (could be script too with minor
    modifications, but I wanted to step debug, etc...) anyway, here's
    some code where [word from dictionary] could be a word in websters
    which changes every iteration in the loop which would function as a
    "brute force" attack. OR this loop could be used just to screw the
    site up and use up resources if left to loop:

    Sub httphack()

    'Note either of the objects below could work

    'Dim myReq As MSXML2.XMLHTTP30
    'Set myReq = New MSXML2.XMLHTTP30

    Dim myReq As WinHttpRequest
    Set myReq = New WinHttpRequest
    Dim strBody As String

    For hackCount = 1 To 10000000000
    myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
    myReq.SetRequestHeader
    "Content-Type","application/x-www-form-urlencoded"
    myReq.SetRequestHeader "REFERER", "[whatever]"
    myReq.Option(WinHttpRequestOption_EnableRedirects) = True

    strBody = "username=[word from dictionary]&password=[word from
    dictionary]"

    myReq.Send strBody
    res = myReq.ResponseText

    if res <> [the typical error return or page text] THEN
    [it must be a redirect or something]
    [save the user name and password and try to log in with them]
    end if

    Next
    End Sub

    HANDLER.ASP file:
    <%=response.write(request.form("username")%>
    <%=response.write(request.form("password")%>

    END HANDLER.ASP file

    Please comment on the general threat of this simple code... I have
    several ideas about protecting against it, but I'm interested in
    various input at this time... go ahead and try it out if you have VB
    or adapt it to script and try it. I'm currently building an
    e-commerce web site and I'm very worried about this type of threat.
    Chris Barber, Apr 18, 2004
    #9
  10. Ken Schaefer Guest

    Validate all your input on the server side. Then it doesn't matter what they
    do to mess with your form. Assume that all input is not to be trusted, and
    the validate it against a set of known valid values.

    www.adopenstatic.com/resources/code/UIValidation.asp

    Cheers
    Ken


    <> wrote in message
    news:...
    : I have done tests for form hacking and ASP.
    :
    : I can use IE to save a page locally, which has a form, to the hard
    : drive (file/save) then change the "action" property to the qualified
    : url and submit the form.
    :
    : The action page picks up the POST or GET http string and works with
    : it...
    :
    : Can anyone expound on a BEST PRACTICE for eliminating hacks in this
    : scenario...
    :
    : I will expound on my findings as everyone else does.
    :
    : Thanks.
    :
    :
    Ken Schaefer, Apr 18, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ringo
    Replies:
    4
    Views:
    525
    gerry
    Jan 16, 2004
  2. Nick Gilbert
    Replies:
    7
    Views:
    406
    Steven Cheng[MSFT]
    May 31, 2004
  3. Replies:
    7
    Views:
    369
    Robbie Hatley
    Jul 9, 2006
  4. ringo

    Could aspnet_wp.exe recycle be due to hackers?

    ringo, Jan 15, 2004, in forum: ASP .Net Security
    Replies:
    4
    Views:
    128
    gerry
    Jan 16, 2004
  5. Giles Bowkett

    smalltalk resources for ruby hackers?

    Giles Bowkett, Dec 5, 2006, in forum: Ruby
    Replies:
    8
    Views:
    97
    Isaac Gouy
    Dec 7, 2006
Loading...

Share This Page