Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 Keeping the querystring-injectors out
 New Topic  Reply to Topic
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 16 October 2009 :  07:39:20  Show Profile  Visit MarcelG's Homepage  Reply with Quote
I'm a bit paranoia when it gets to websitesecurity.
I often see people active on my websites who are trying to perform strange pagerequests, with stuff like TOPIC_ID=100+1+1+AND' etc.
To keep those people out (and send them a message) I've implemented the following lines of code in config.asp, before the database is even opened.
What it does is this:
- it checks for the various numeric querystrings used by Snitz to see if they are numeric or not.
- if they're not empty but also not numeric, the user is redirected to a 401 page, which tells them that they're busted.

Example: http://oxle.com/topic.asp?topic_id=6205+lamehackattack$
(Warning, my 401 page is pretty rude...)
You can extend this with custom numeric querystrings used on your forum, for for example the blogmod, download mods etc.
'let us keep out the querystring injectors before we open up the SQL connection
if Request.QueryString("id") <> "" and IsNumeric(Request.QueryString("id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("TOPIC_ID") <> "" and IsNumeric(Request.QueryString("TOPIC_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("REPLY_ID") <> "" and IsNumeric(Request.QueryString("REPLY_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("forum_id") <> "" and IsNumeric(Request.QueryString("forum_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("cat_id") <> "" and IsNumeric(Request.QueryString("cat_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if

'end of the querystring injectors protection

This code is put in config.asp above the line that starts with this:
dim strDBType,


Make sure you create a 401.asp page so that the viewer is notified he's being watched.
Or redirect to something else instead, that's also possible of course.

I've tried to get as many numeric querystrings in here as I could think of, but if you know one that I've missed, please let me know.

***** EDIT: code fixed, Carefree spotted a missing end if*****

portfolio - linkshrinker - oxle - twitter

Edited by - MarcelG on 17 October 2009 11:41:35

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 16 October 2009 :  10:29:38  Show Profile  Visit HuwR's Homepage  Reply with Quote
your forum should be perfectly safe without the need to do this, Snitz already ensures that a valid number is passed in order to prevent injection
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 16 October 2009 :  10:34:16  Show Profile  Visit MarcelG's Homepage  Reply with Quote
Yes, I know.
But still, I want to send them a message....

BTW, I seem to have broken it, so I'm trying to figure out what's happening now...strange.

portfolio - linkshrinker - oxle - twitter
Go to Top of Page

bobby131313
Senior Member

USA
1163 Posts

Posted - 16 October 2009 :  10:35:14  Show Profile  Visit bobby131313's Homepage  Reply with Quote
I like redirecting buttheads here.

Switch the order of your title tags
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 16 October 2009 :  12:07:36  Show Profile  Visit HuwR's Homepage  Reply with Quote
quote:
Originally posted by MarcelG

Yes, I know.
But still, I want to send them a message....

BTW, I seem to have broken it, so I'm trying to figure out what's happening now...strange.


looks like it's working to me
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 16 October 2009 :  12:32:28  Show Profile  Visit Etymon's Homepage  Reply with Quote
Looks good.

I tried ... http://oxle.com/topic.asp?topic_id=6205&whichpage=-1+1+1+AND and got flagged.
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 16 October 2009 :  13:12:52  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message  Reply with Quote
Marcel, if you want to be thorough you should add a check to test if the value is numeric and greater than zero. Technically -1 is numeric but not valid as a Snitz querystring AFAIK.

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts

Posted - 16 October 2009 :  13:57:06  Show Profile  Visit AnonJr's Homepage  Reply with Quote
quote:
Originally posted by Podge

Marcel, if you want to be thorough you should add a check to test if the value is numeric and greater than zero. Technically -1 is numeric but not valid as a Snitz querystring AFAIK.

It is valid for the whichpage variable IIRC...
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 17 October 2009 :  03:07:14  Show Profile  Visit HuwR's Homepage  Reply with Quote
yes, -1 is valid for the whichpage variable
Go to Top of Page

Carefree
Advanced Member

Philippines
4207 Posts

Posted - 17 October 2009 :  10:48:08  Show Profile  Reply with Quote
quote:

if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End


You're missing an
end if
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 17 October 2009 :  11:41:49  Show Profile  Visit MarcelG's Homepage  Reply with Quote
No I'm not.


portfolio - linkshrinker - oxle - twitter
Go to Top of Page

Carefree
Advanced Member

Philippines
4207 Posts

Posted - 15 December 2012 :  10:14:58  Show Profile  Reply with Quote
LOL, revisiting old topics and clicked your 401 link.
Go to Top of Page

Giumer
Junior Member

Italy
163 Posts

Posted - 15 December 2012 :  16:11:19  Show Profile  Send Giumer an ICQ Message  Reply with Quote
quote:
Originally posted by Carefree

LOL, revisiting old topics and clicked your 401 link.



mate you have 1 page 401.asp for me ?? thx

=======================
http://www.Giumer.it/forum

=======================
Go to Top of Page

Carefree
Advanced Member

Philippines
4207 Posts

Posted - 26 December 2012 :  02:59:18  Show Profile  Reply with Quote
OK, I wrote one inspired by Marcel's. I captured the query strings (even if used on pages which don't contain forms or queries, e.g. default.asp?id='afab) and they are displayed on the 401 page. If the query contains an illegal character (for use in SQL injection attempts), the comment is changed to reflect that. I included an image appropriate to the occasion. You can get a copy on SnitzBitz.

Edited by - Carefree on 26 December 2012 03:04:50
Go to Top of Page

Giumer
Junior Member

Italy
163 Posts

Posted - 26 December 2012 :  05:19:09  Show Profile  Send Giumer an ICQ Message  Reply with Quote
ok !! Grazie !! test !! http://giumer.it/forum/topic.asp?topic_id=6205+lamehackattack$

=======================
http://www.Giumer.it/forum

=======================

Edited by - Giumer on 26 December 2012 05:22:04
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 26 December 2012 :  07:57:46  Show Profile  Visit HuwR's Homepage  Reply with Quote
strictly speaking you should be issuing a 400 Bad Request not a 401 Unauthorized

MVC .net dev/test site | MVC .net running on Raspberry Pi
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.11 seconds. Powered By: Snitz Forums 2000 Version 3.4.07