Try hacking my site 3

[aspvbnetnerd]

I am done with my webshop and I hope that the site is now protected from injections.

Could anyone try to hack my webshop?
I want to se if it is secure to injections and all other stuff

The address is

http://www40.brinkster.com/aspvbnerd/

Any comment about the webshop is appriciated even if it is about the design.

Some stuff does not work example, they don't support CDOSYS

George

 

[aspvbnetnerd]

Foxbox,
1)I only have a test account and brinkster dont support AspsmartUpload.
Line 170 is Set mySmartUpload = Server.CreateObject("aspSmartUpload.SmartUpload")

2)Where did you get that error, because im tring to do the same.

3)Stastic page shouldn't work becuase that should be an extra payment for statastic.

4)Same problem as the first problem (aspsmartupload).
Line 53 is this. Set mySmartUpload = Server.CreateObject("aspSmartUpload.SmartUpload")

emozley, should I do that with a javascript control?

 

[emozley]

I must admit I do all my form validation server side eg:

If IsNumeric(Request.Form("Quantity"))=TRUE Then
' Do something
Else
' Do something else
End If

as I know almost nothing whatsoever about javascript. However I would have thought that javascript is a) better from a security point of view and b) more efficient.

E.

 

[Tarwn]

Javascript is worse for security because anyone can view the source of your page, save it to a local file, edit out the javascript, and submit whatever they want.

Javascript validation is good for user interaction. The page doesn't have to be submitted al the way back to the server for validation and you can do nifty tricks like putting the focus on the inputs they missed or need tocorrect.

Server-side validation is better for overall security because that is the laststep before something is actually executed with the data and there are no chances for someone to accidentally or maliciously enter something wrong after this point.

Javascript is good for the user, server-side is good for the application security and database integrity

 

[aspvbnetnerd]

Okay, Now I have changed it to
If IsNumeric(Request.Form("antal"))= True Then.

And I thought that I was done with the webshop.

Is the security okay now?

George

 

[emozley]

I typed the letter 'a' next to speedo 56.25 and still get:

Microsoft JET Database Engine error '80040e10'

No value given for one or more required parameters.

/aspvbnerd/testar.asp, line 13

 

[a6m1n0]

aspvbnetnerd,

Looks like you have tightened up. I went to your site and simple injection attempts using your login form were unsuccessful. ( Great work there Tarwn )

I want to comment on a reply I read earlier in this topic:

The easiest way to avoid SQL Injection is to use Stored Procedures

This is an inaccurate statement and supplying a false sense of security.

If one uses varialbes in a stored procedure and does not have proper sanitizing/checking routines in place before executing a procedure then successful injections are still very possible.

This statement is akin to "having a firewall will protect you from being h4x0r3d."

Just face it, there is no *easy way* to protect yourself from SQL injections and it takes work to protect your application. If I had to suggest a single solution it would be to use RegExp to match certain unwanted criteria. Make it discernable...supply logic in your application to know the difference beteewn a user error and a hack attempt, and Response.Clear():Response.End() -or- Response.Redirect("

http://www.absoluteurl.com/index.asp")

on hack attempts, and/or add the IP to a "bannedip" table and reference this on each page request.

dim rgx,pattern,matched,requestfield
if request.servervariables("REQUEST_METHOD")="POST" then
    requestfield=request.form("myFORMfieldname")
else
    requestfield=request.querystring("myQSfieldname")
end if
pattern="(script)|(<)|(>)|(%3c)|(%3e)|"&_
"(CREATE)|(SELECT)|(UPDATE)|(INSERT)|"&_
"(DELETE)|(GRANT)|(REVOKE)|(<)|(>)|(;)|"&_
"(--)|(\))|(')|('')"
set rgx=new regexp
rgx.ignorecase=true
rgx.global=true
rgx.pattern=pattern
matched=rgx.test(requestfield)
set rgx=nothing
if matched then
    'ban the IP
     banned=request.servervariables("REMOTE_ADDR")
    'logic for adding to a db or adding IP to denied in IIS
    '   using WMI or ADSI
    'logic for sending administrative alert via email
    'logic for whatever else you want to do
else
    'process the input
end if

Just my $0.02.

Have a good weekend everybody!

-a6m1n0

Curiosity only kills cats.