- Impact
- 1
This applies to any script any server any browser any platform - BE AWARE THAT NOT ALL CLIENTS ARE GOOD!
Due to a massive outbreak of hacking on the internet, you should be aware of the top 3 reasons a site is hacked. If you follow these guidelines, you should be very safe (the web server you host on might have security issues of it's own).
This document will only discuss the 1st reason.
1st Reason:
The #1 reason that sites are hacked is simply, no validation on variables.
It doesn't matter what script or what server or anything - always validate your data.
Don't know how to validate data in your scripting language? LEARN!
DO NOT POST ANYTHING ONLINE UNTIL THE VARIABLES ARE VALIDATED!
Invalid or no validation leads to dangers such as an SQL Injection Attack.
What is that? Read on and weep.
Take the following ASP Database query code:
------------------------
<%@ LANGUAGE = VBSCRIPT %>
<% OPTION EXPLICIT %>
<HTML>
<HEAD>
<TITLE>Please Wait...</TITLE>
</HEAD>
<BODY>
Please wait while we read the database information...
<%
Dim strSQL
Dim objCon
Dim objRS
strSQL = "SELECT * FROM tblMyStuff WHERE info > " & Request.QueryString("minnumber")
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.ConnectionString = "DSN=myconnection"
objCon.Open
Set objRS = Server.CreateObject("ADODB.RecordSet")
objRS.Open strSQL, objCon, ,
If (objRS.EOF) then
Response.Write "No data!"
else
Do While Not (objRS.EOF)
Response.Write (bjRS("myfield") & "<BR>")
Loop
end if
objRS.Close
Set objRS = nothing
objCon.Close
Set objCon = nothing
%>
</BODY>
</HTML>
For those of you who don't know ASP, all that does is open up a connection to a database an write out the information using an SQL statement.
Now this looks fine right? Nope. What if a hacker was to put this into the QueryString Data as minnumber: "2; DELETE FROM tblMyStuff"?
That would delete your whole database.
So how would you stop that in this situation? Either validate with the IsInteger() function or add +1 and subtract -1 (strings will generate an error).
This applies to all codes, not just ASP.
Follow these 3 guidelines and BE AWARE!
This applies to any script any server any browser any platform - BE AWARE THAT NOT ALL CLIENTS ARE GOOD!
Due to a massive outbreak of hacking on the internet, you should be aware of the top 3 reasons a site is hacked. If you follow these guidelines, you should be very safe (the web server you host on might have security issues of it's own).
This document will only discuss the 2nd reason, I am writing the other 1 later. See also: Security Issues 3 (BE AWARE)
2nd Reason:
The 2nd most common reason for a website being hacked is incorrect Script Syntax.
GOLDEN RULE OF WEB DESIGN: Make before you upload
If a hacker finds a testing page that is incomplete and still is not debugged, error messages may reveal sensitive information to the hacker. BE WARNED!
Consider the following Source Code Encryption Situation:
A file called "mycode.xxx" is in "http://mysite.com/mydirectory/".
.xxx is some server side language (ASP, CGI ect.)
Source code encryption has been applied to protect the URL of the document (the URL could possibly reveal some information about the server that is sensitive).
The Server Side scripting has an error because it is still in testing stages.
A hacker comes along, stumbles across the file (I don't care what you say, if it is online, it is accessable), and see's this:
INTERNAL SERVER ERROR 500;100
http://mysite.com/mydirectory/mycode.xxx line 2842
Variable is undefined: strImStupid
This might not seem so bad, but imagine if a POST form string was being used to get a sensitive database password, the error would be:
INTERNAL SERVER ERROR 500;100
http://mysite.com/mydirectory/mycode.xxx lin 2842
Variable is undefined: strImStupid
Browser: (browser information)
POST { username=hello&hi=hi&databasepassword=sensitiveinfo; }
Even though it sounds like an uncommon situation, reality is that its the 2nd most likley reason for a website to be hacked.
This applies to any script any server any browser any platform - BE AWARE THAT NOT ALL CLIENTS ARE GOOD!
Due to a massive outbreak of hacking on the internet, you should be aware of the top 3 reasons a site is hacked. If you follow these guidelines, you should be very safe (the web server you host on might have security issues of it's own).
This document will only discuss the 3rd reason, I am writing the other 2 later.
3rd Reason:
The 3rd reason why sites are hacked is because of careless backup files. If you are going to make a backup of a file, DO NOT SAVE IT ON THE WEB SERVER!
Even if there is nothing wrong with the security in the page you are backing up, BACKUP FILES ON THE SERVER ARE NOT GOOD! Why are they not good? Take this example of a backup ASP script.
---------------------------------
<%@ LANGUAGE = VBSCRIPT %>
<% OPTION EXPLICIT %>
<HTML>
<HEAD>
<TITLE>My Secure Page (I Hope)</TITLE>
</HEAD>
<BODY>
Non-Secure Information Here
<%
Dim strSecure
strSecure = "Secure Data like a database connection string, you don't want people seeing this..."
%>
</BODY>
</HTML>
---------------------------------
Doesn't look like there is anything wrong right?
You are right, it is perfectly safe.
Now consider this - The administrator of the website is afraid a hacker will strike this page because of the sensitive information. The administrator copies and pastes this file (let's call it secure.asp) and renames it "secure.bak" or something of the sort.
Now a hacker comes along. He knows the URL of secure.asp (not hard to get) and checks if the administrator was careless enough to make a Server Side Backup.
He types the following text into the URL bar:
http://mysite.com/mydirectory/secure.asp
Now he types these ones as well, seeing if any one is there:
http://mysite.com/mydirectory/secure.bak
http://mysite.com/mydirectory/secure.old
http://mysite.com/mydirectory/secure.asp.2
http://mysite.com/mydirectory/secure.asp.bak
http://mysite.com/mydirectory/secure.asp.old
http://mysite.com/mydirectory/secure.2
http://mysite.com/mydirectory/Copy Of secure.asp
http://mysite.com/mydirectory/Copy (2) of secure.asp
If any one of these is a backup file, the server sees that it is an unknown format, and sends the information to the hacker as a PLAIN TEXT FILE!!! The hacker will see all the source code, including the Server Side Script!
Due to a massive outbreak of hacking on the internet, you should be aware of the top 3 reasons a site is hacked. If you follow these guidelines, you should be very safe (the web server you host on might have security issues of it's own).
This document will only discuss the 1st reason.
1st Reason:
The #1 reason that sites are hacked is simply, no validation on variables.
It doesn't matter what script or what server or anything - always validate your data.
Don't know how to validate data in your scripting language? LEARN!
DO NOT POST ANYTHING ONLINE UNTIL THE VARIABLES ARE VALIDATED!
Invalid or no validation leads to dangers such as an SQL Injection Attack.
What is that? Read on and weep.
Take the following ASP Database query code:
------------------------
<%@ LANGUAGE = VBSCRIPT %>
<% OPTION EXPLICIT %>
<HTML>
<HEAD>
<TITLE>Please Wait...</TITLE>
</HEAD>
<BODY>
Please wait while we read the database information...
<%
Dim strSQL
Dim objCon
Dim objRS
strSQL = "SELECT * FROM tblMyStuff WHERE info > " & Request.QueryString("minnumber")
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.ConnectionString = "DSN=myconnection"
objCon.Open
Set objRS = Server.CreateObject("ADODB.RecordSet")
objRS.Open strSQL, objCon, ,
If (objRS.EOF) then
Response.Write "No data!"
else
Do While Not (objRS.EOF)
Response.Write (bjRS("myfield") & "<BR>")
Loop
end if
objRS.Close
Set objRS = nothing
objCon.Close
Set objCon = nothing
%>
</BODY>
</HTML>
For those of you who don't know ASP, all that does is open up a connection to a database an write out the information using an SQL statement.
Now this looks fine right? Nope. What if a hacker was to put this into the QueryString Data as minnumber: "2; DELETE FROM tblMyStuff"?
That would delete your whole database.
So how would you stop that in this situation? Either validate with the IsInteger() function or add +1 and subtract -1 (strings will generate an error).
This applies to all codes, not just ASP.
Follow these 3 guidelines and BE AWARE!
This applies to any script any server any browser any platform - BE AWARE THAT NOT ALL CLIENTS ARE GOOD!
Due to a massive outbreak of hacking on the internet, you should be aware of the top 3 reasons a site is hacked. If you follow these guidelines, you should be very safe (the web server you host on might have security issues of it's own).
This document will only discuss the 2nd reason, I am writing the other 1 later. See also: Security Issues 3 (BE AWARE)
2nd Reason:
The 2nd most common reason for a website being hacked is incorrect Script Syntax.
GOLDEN RULE OF WEB DESIGN: Make before you upload
If a hacker finds a testing page that is incomplete and still is not debugged, error messages may reveal sensitive information to the hacker. BE WARNED!
Consider the following Source Code Encryption Situation:
A file called "mycode.xxx" is in "http://mysite.com/mydirectory/".
.xxx is some server side language (ASP, CGI ect.)
Source code encryption has been applied to protect the URL of the document (the URL could possibly reveal some information about the server that is sensitive).
The Server Side scripting has an error because it is still in testing stages.
A hacker comes along, stumbles across the file (I don't care what you say, if it is online, it is accessable), and see's this:
INTERNAL SERVER ERROR 500;100
http://mysite.com/mydirectory/mycode.xxx line 2842
Variable is undefined: strImStupid
This might not seem so bad, but imagine if a POST form string was being used to get a sensitive database password, the error would be:
INTERNAL SERVER ERROR 500;100
http://mysite.com/mydirectory/mycode.xxx lin 2842
Variable is undefined: strImStupid
Browser: (browser information)
POST { username=hello&hi=hi&databasepassword=sensitiveinfo; }
Even though it sounds like an uncommon situation, reality is that its the 2nd most likley reason for a website to be hacked.
This applies to any script any server any browser any platform - BE AWARE THAT NOT ALL CLIENTS ARE GOOD!
Due to a massive outbreak of hacking on the internet, you should be aware of the top 3 reasons a site is hacked. If you follow these guidelines, you should be very safe (the web server you host on might have security issues of it's own).
This document will only discuss the 3rd reason, I am writing the other 2 later.
3rd Reason:
The 3rd reason why sites are hacked is because of careless backup files. If you are going to make a backup of a file, DO NOT SAVE IT ON THE WEB SERVER!
Even if there is nothing wrong with the security in the page you are backing up, BACKUP FILES ON THE SERVER ARE NOT GOOD! Why are they not good? Take this example of a backup ASP script.
---------------------------------
<%@ LANGUAGE = VBSCRIPT %>
<% OPTION EXPLICIT %>
<HTML>
<HEAD>
<TITLE>My Secure Page (I Hope)</TITLE>
</HEAD>
<BODY>
Non-Secure Information Here
<%
Dim strSecure
strSecure = "Secure Data like a database connection string, you don't want people seeing this..."
%>
</BODY>
</HTML>
---------------------------------
Doesn't look like there is anything wrong right?
You are right, it is perfectly safe.
Now consider this - The administrator of the website is afraid a hacker will strike this page because of the sensitive information. The administrator copies and pastes this file (let's call it secure.asp) and renames it "secure.bak" or something of the sort.
Now a hacker comes along. He knows the URL of secure.asp (not hard to get) and checks if the administrator was careless enough to make a Server Side Backup.
He types the following text into the URL bar:
http://mysite.com/mydirectory/secure.asp
Now he types these ones as well, seeing if any one is there:
http://mysite.com/mydirectory/secure.bak
http://mysite.com/mydirectory/secure.old
http://mysite.com/mydirectory/secure.asp.2
http://mysite.com/mydirectory/secure.asp.bak
http://mysite.com/mydirectory/secure.asp.old
http://mysite.com/mydirectory/secure.2
http://mysite.com/mydirectory/Copy Of secure.asp
http://mysite.com/mydirectory/Copy (2) of secure.asp
If any one of these is a backup file, the server sees that it is an unknown format, and sends the information to the hacker as a PLAIN TEXT FILE!!! The hacker will see all the source code, including the Server Side Script!
