Try hacking my site 3

[aspvbnetnerd]

I am done with my webshop and I hope that the site is now protected from injections.

Could anyone try to hack my webshop?
I want to se if it is secure to injections and all other stuff

The address is

http://www40.brinkster.com/aspvbnerd/

Any comment about the webshop is appriciated even if it is about the design.

Some stuff does not work example, they don't support CDOSYS

George

 

[johnwm]

I'd start off by sorting the validation errors:

http://validator.w3.org/check?verbo...pvbnerd/default.asp?page=menu&menuid=Kl%E4der

Your new user page accepts anything - no check even on valid email address

Hover over the 'Buy' button shows blank red box

Once you have selected from the drop-down menu, you can't (easily) get back to the 'All Items' option

Buying one article at 30.00 results in a total of 95.00 with no explanation

________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller

 

[aspvbnetnerd]

1.The Validation will fix when everything else is okay.

2.Email validation didn't I think about.
Can do validation with asp or do I have to have javascript for that?

3.I have removed the hover to the 'buy' button.

Once you have selected from the drop-down menu, you can't (easily) get back to the 'All Items' option

4There is no menu for 'All items'. The 'Välj menu' means in Swedish choose menu

Buying one article at 30.00 results in a total of 95.00 with no explanation

5.The cargo is 65 Swedish Kr.

Thanks for the comment johnwm

How about the Injection?

George

 

[Tarwn]

1) There is no login error page, it just displays the front page

2)

http://www40.brinkster.com/aspvbnerd/default.asp?page=menu&menuid=' or '1'='1

3) And your users table is empty

-T

 

[aspvbnetnerd]

Tarwin, now there are users in the users table.

And your users table is empty

How did you know there was a table called users?

Did I pass the security?
I don't want to sell a webshop and the security is not good.


George

 

[werD420]

The easiest way to avoid SQL Injection is to use Stored Procedures. SQL wont process commands it didnt expect but if you dont tell it what to expect then you just leave yourself open

MCP, .Net Solutions Development <%_%>

 

[Tarwn]

Ok, it looks like either you closed the two holes I found or I am not awake

The two I had were:
default.asp?page=srchprod&prod=
default.asp?page=menu&menuid=

I basically:
1) tried to create errors in your blanks and querystrings by using single-quotes, double-quotes, illegal characters until I found some that weren't protected like above
2) started trying to find tables that existed. Basically I was injecting a UNION statement into the SQL statement like so:

http://www40.brinkster.com/aspvbnerd/default.asp?page=srchprod&prod='

and '1' = '3' UNION select 'a','a','a','a','a','a','a','a','a' From [users] where '1'='1

The way I found the table name is I just kept trying differant table names that made sense until the ADO error stopped saying "Table not found". I did the same thing to get the number of fields in my union statement to match up the number of fields in your select from the products table. I believe there were 7 fields in the search form and 9 in the menuid one.

3) Now, I started doing queries to find field names. I found that I didn't get errors when I used [username] or [password] as field names for the [users] table, but I also didn't get any results. Your search page was a little more forgiving and would actually display some results if I did something like:

http://www40.brinkster.com/aspvbnerd/default.asp?page=srchprod&prod=x'

UNION select COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]) From [users] where '1'='1
Which gave me a display with a whole bunch of zeroes instead of a product, but also told me you had no users.
If you had had users I would have done a select for the [username] and [password]'s. Then I would have tried out some more field names and tried to log into /Admin.asp which I found by random guess.

If you had had users in the [users] table, I would have had them as well as possible having a login into the admin site or at least known that the login wasn't there and I needed to keep looking. Since i wasn't a serious attacker I gave up after this because my scotch was getting warm

-T

 

[bhuninghake]

Selected backpack from the dropdown menu. Then clicked the buy button for the backpack. Received the following error:

Microsoft JET Database Engine error '80040e10'

No value given for one or more required parameters.

/aspvbnerd/testar.asp, line 13

 

[aspvbnetnerd]

First of all I would like to thank you Tarwin for taking your time to test the site.

Ok, it looks like either you closed the two holes I found or I am not awake

On my menu.asp and srchprod.asp I saw 2 holes not to long ago so I fixed it.

3) I actually have a couple of users in my users table.

For the admin.asp page I have a different table for those users.


Tarwin, is it security site okay or not?


George

 

[foxbox]

Bekräfta köp
Microsoft JET Database Engine error '80040e14'
The SELECT statement includes a reserved word or an argument name that is misspelled or missing, or the punctuation is incorrect.
/aspvbnerd/include/databaseconnection.asp, line 27

 

[foxbox]

It is possible to fill all fields with blanks in the "
Private information" screen

It is possible to enter HTML codes in those fields....

 

[Sheco]

nice work Tarwn

 

[Sheco]

or should I say... Tizzarwn!

 

[DotNetGnat]

i agree with Sheco...nice post Tarwn

-DNG

 

[aspvbnetnerd]

Bekräfta köp
Microsoft JET Database Engine error '80040e14'
The SELECT statement includes a reserved word or an argument name that is misspelled or missing, or the punctuation is incorrect.
/aspvbnerd/include/databaseconnection.asp, line 27

That problem is fixed.
The error was that in my sql did a SELECT TOP 0 * FROM.

It is possible to enter HTML codes in those fields....

How should I fixed that?

 

[foxbox]

i usually have a very down-to-earth method for this, simply replace any < with [ and > with ]. Especially is personal info fields like this you normally would not enter an < of >.


BTW: you must limit the number of characters that user can enter AND adjust your SQL INSERT/ UPDATE instruction in order to prefend this:

Microsoft JET Database Engine error '80040e21'

The field is too small to accept the amount of data you attempted to add. Try inserting or pasting less data.

/aspvbnerd/prvinfo.asp, line 86

 

[aspvbnetnerd]

Foxbox, I have fixed the problem you mention on you last post.

1)I solved it Server.HTMLEncode.
Is this is a good solution?

It became like this, not so nice.

http://www40.brinkster.com/aspvbnerd/images/foxbox1.JPG

http://www40.brinkster.com/aspvbnerd/images/foxbox12.JPG

2)I have set a maxlenght so that problem should not accur againg.

Did anyone manage to log in to the admin.asp site?
Because it seems like someone did.

 

[dodge20]

If I spend more time, I can probably guess the name of your database and download it. That is if I am right and it is located in a folder called db. Or is it outside of the root like it should be?

Dodge20

 

[foxbox]

yep, that was me:
Server object error 'ASP 0177 : 800401f3'
Server.CreateObject Failed
/aspvbnerd/editproduct.asp, line 170
800401f3
(i entered a negatoive price for a product)

Press Sok button without value in field:
Microsoft JET Database Engine error '80040e10'
No value given for one or more required parameters.
/aspvbnerd/include/databaseconnection.asp, line 27


Microsoft VBScript compilation error '800a0400'
Expected statement
/aspvbnerd/statistic.asp, line 19
<div id="headmenu">


Lägg till Produkt
Server object error 'ASP 0177 : 800401f3'
Server.CreateObject Failed
/aspvbnerd/addproduct.asp, line 53
800401f3

 

[emozley]

On the box where you type the quantity I would filter out all non-numeric characters. I tried both letters and punctuation which caused script errors.