ASP web hackers

M

mustcomment2003

I have done tests for form hacking and ASP.

I can use IE to save a page locally, which has a form, to the hard
drive (file/save) then change the "action" property to the qualified
url and submit the form.

The action page picks up the POST or GET http string and works with
it...

Can anyone expound on a BEST PRACTICE for eliminating hacks in this
scenario...

I will expound on my findings as everyone else does.

Thanks.
 
P

Peter X

Curt_C said:
check the HTTP_REFERRER server variable perhaps, to ensure it's your own
site

Does that help much?

Given that its very easy to falsify this, as a webmaster it provides you
with little security, and as a web site user, it means you _must_ supply
a referer.... which may not appear like a problem to you, but I myself
like to keep the referer hidden!
 
E

Evertjan.

Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:
Does that help much?

Given that its very easy to falsify this, as a webmaster it provides you
with little security, and as a web site user, it means you _must_ supply
a referer.... which may not appear like a problem to you, but I myself
like to keep the referer hidden!

So it helps not complatly, but a lot!

Without the right referrer the formpost won't be processed.

btw:
I do not think it necessary to use such methods. Plan yous site,
so that a manipulated formpost does no harm.
 
P

Peter X

Evertjan. said:
Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:




So it helps not complatly, but a lot!

Without the right referrer the formpost won't be processed.

At the risk of appearing pedantic, here's an analogy:

Person A has a job where they answer a phone and perform a transaction
(writes something down, or provides information or whatever) based on
information provided by the caller.

Person B phones Person A and provides a whole load of garbage
information with the intent of subverting whatever the system is doing
(its a very open analogy!).

Exactly what is gained by having Person A ask the caller where they got
the telephone number? I mean, they might lie? Given that they're
_evil-doers_(TM), it seems fairly likely they will lie; they're like that!


So that seems to render asking for a referer useless. Better to check
that the information is within valid ranges.
btw:
I do not think it necessary to use such methods. Plan yous site,
so that a manipulated formpost does no harm.

Agreed!

Given that the original post asked for best practice, I really think
checking referer should not be included! Not least, because it might
provide a false sense of security.

:)
 
E

Evertjan.

Peter X wrote on 17 apr 2004 in microsoft.public.inetserver.asp.general:
Agreed!

Given that the original post asked for best practice, I really think
checking referer should not be included! Not least, because it might
provide a false sense of security.

The other way around is usefull. [slightly off topic]

I have pages I do not want to be linked [or form-posted for that matter]
from other domains, except from a specified "sister" site, so I redeirect
to the main page if the Referrer is not my site, not the sister site and
not empty. Setting the page as a favorite/bookmark is ok by me.

This is done by an include containing:

rsref=Request.ServerVariables("HTTP_REFERER")
If rsref<>"" _
and instr(rsref,"http://mySite.org")=0 _
and instr(rsref,"http://www.sisterSite.nl")=0 Then
Response.Redirect "/"
end if

[not tested in this form]

Yes, I know that occasionally a browser does not return the referrer, but
this does not bother me as the linking of those pages is sufficiently
discouraged.
 
M

mustcomment2003

I have done tests for form hacking and ASP.

I can use IE to save a page locally, which has a form, to the hard
drive (file/save) then change the "action" property to the qualified
url and submit the form.

The action page picks up the POST or GET http string and works with
it...

Can anyone expound on a BEST PRACTICE for eliminating hacks in this
scenario...

I will expound on my findings as everyone else does.

Thanks.

For instance, I wrote this with VB (could be script too with minor
modifications, but I wanted to step debug, etc...) anyway, here's
some code where [word from dictionary] could be a word in websters
which changes every iteration in the loop which would function as a
"brute force" attack. OR this loop could be used just to screw the
site up and use up resources if left to loop:

Sub httphack()

'Note either of the objects below could work

'Dim myReq As MSXML2.XMLHTTP30
'Set myReq = New MSXML2.XMLHTTP30

Dim myReq As WinHttpRequest
Set myReq = New WinHttpRequest
Dim strBody As String

For hackCount = 1 To 10000000000
myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
myReq.SetRequestHeader
"Content-Type","application/x-www-form-urlencoded"
myReq.SetRequestHeader "REFERER", "[whatever]"
myReq.Option(WinHttpRequestOption_EnableRedirects) = True

strBody = "username=[word from dictionary]&password=[word from
dictionary]"

myReq.Send strBody
res = myReq.ResponseText

if res <> [the typical error return or page text] THEN
[it must be a redirect or something]
[save the user name and password and try to log in with them]
end if

Next
End Sub

HANDLER.ASP file:
<%=response.write(request.form("username")%>
<%=response.write(request.form("password")%>

END HANDLER.ASP file

Please comment on the general threat of this simple code... I have
several ideas about protecting against it, but I'm interested in
various input at this time... go ahead and try it out if you have VB
or adapt it to script and try it. I'm currently building an
e-commerce web site and I'm very worried about this type of threat.
 
M

mustcomment2003

I have done tests for form hacking and ASP.

I can use IE to save a page locally, which has a form, to the hard
drive (file/save) then change the "action" property to the qualified
url and submit the form.

The action page picks up the POST or GET http string and works with
it...

Can anyone expound on a BEST PRACTICE for eliminating hacks in this
scenario...

I will expound on my findings as everyone else does.

Thanks.

If this goes out twice as a separate thread, I appoligize. Thanks:

For instance, I wrote this with VB (could be script too with minor
modifications, but I wanted to step debug, etc...) anyway, here's
some code where [word from dictionary] could be a word in websters
which changes every iteration in the loop which would function as a
"brute force" attack. OR this loop could be used just to screw the
site up and use up resources if left to loop:

Sub httphack()

'Note either of the objects below could work

'Dim myReq As MSXML2.XMLHTTP30
'Set myReq = New MSXML2.XMLHTTP30

Dim myReq As WinHttpRequest
Set myReq = New WinHttpRequest
Dim strBody As String

For hackCount = 1 To 10000000000
myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
myReq.SetRequestHeader
"Content-Type","application/x-www-form-urlencoded"
myReq.SetRequestHeader "REFERER", "[whatever]"
myReq.Option(WinHttpRequestOption_EnableRedirects) = True

strBody = "username=[word from dictionary]&password=[word from
dictionary]"

myReq.Send strBody
res = myReq.ResponseText

if res <> [the typical error return or page text] THEN
[it must be a redirect or something]
[save the user name and password and try to log in with them]
end if

Next
End Sub

HANDLER.ASP file:
<%=response.write(request.form("username")%>
<%=response.write(request.form("password")%>

END HANDLER.ASP file

Please comment on the general threat of this simple code... I have
several ideas about protecting against it, but I'm interested in
various input at this time... go ahead and try it out if you have VB
or adapt it to script and try it. I'm currently building an
e-commerce web site and I'm very worried about this type of threat.
 
C

Chris Barber

Running from a single machine will hardly - if ever- constitute a real
threat in terms of trying to induce a DOS style attack (eg. take the site
off the net) - these generally have to use multiple sites all synchronously
targeting a single point of attack (eg. SYN flood and normal synchronous
page requests). The reason being that you will be limited by your own
bandwidth before you even touch that of a commercial site.
The real possibility is that you might be able to hack into a site and
compromise it's security by means of either a webserver hole (or
vulnerability), SQL injection (a real threat which can be overcome by simply
using stored procedures or being very very careful with the SQL statements)
or auto-incrementing counters that don't use GUIDs allowing someone to
predict or reuse existing and new session / user identifiers.

There will be more but in general terms the three 'real' hack modes
mentioned are the most common and certainly the easiest to secure against.

Chris.

I have done tests for form hacking and ASP.

I can use IE to save a page locally, which has a form, to the hard
drive (file/save) then change the "action" property to the qualified
url and submit the form.

The action page picks up the POST or GET http string and works with
it...

Can anyone expound on a BEST PRACTICE for eliminating hacks in this
scenario...

I will expound on my findings as everyone else does.

Thanks.

For instance, I wrote this with VB (could be script too with minor
modifications, but I wanted to step debug, etc...) anyway, here's
some code where [word from dictionary] could be a word in websters
which changes every iteration in the loop which would function as a
"brute force" attack. OR this loop could be used just to screw the
site up and use up resources if left to loop:

Sub httphack()

'Note either of the objects below could work

'Dim myReq As MSXML2.XMLHTTP30
'Set myReq = New MSXML2.XMLHTTP30

Dim myReq As WinHttpRequest
Set myReq = New WinHttpRequest
Dim strBody As String

For hackCount = 1 To 10000000000
myReq.Open "POST", "http://srv2000asrx2/testhack/handler.asp", False
myReq.SetRequestHeader
"Content-Type","application/x-www-form-urlencoded"
myReq.SetRequestHeader "REFERER", "[whatever]"
myReq.Option(WinHttpRequestOption_EnableRedirects) = True

strBody = "username=[word from dictionary]&password=[word from
dictionary]"

myReq.Send strBody
res = myReq.ResponseText

if res <> [the typical error return or page text] THEN
[it must be a redirect or something]
[save the user name and password and try to log in with them]
end if

Next
End Sub

HANDLER.ASP file:
<%=response.write(request.form("username")%>
<%=response.write(request.form("password")%>

END HANDLER.ASP file

Please comment on the general threat of this simple code... I have
several ideas about protecting against it, but I'm interested in
various input at this time... go ahead and try it out if you have VB
or adapt it to script and try it. I'm currently building an
e-commerce web site and I'm very worried about this type of threat.
 
K

Ken Schaefer

Validate all your input on the server side. Then it doesn't matter what they
do to mess with your form. Assume that all input is not to be trusted, and
the validate it against a set of known valid values.

www.adopenstatic.com/resources/code/UIValidation.asp

Cheers
Ken


: I have done tests for form hacking and ASP.
:
: I can use IE to save a page locally, which has a form, to the hard
: drive (file/save) then change the "action" property to the qualified
: url and submit the form.
:
: The action page picks up the POST or GET http string and works with
: it...
:
: Can anyone expound on a BEST PRACTICE for eliminating hacks in this
: scenario...
:
: I will expound on my findings as everyone else does.
:
: Thanks.
:
:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top