| Author |
 Topic  |
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
 Posted - 16 October 2009 : 07:39:20
|
I'm a bit paranoia when it gets to websitesecurity.
I often see people active on my websites who are trying to perform strange pagerequests, with stuff like TOPIC_ID=100+1+1+AND' etc.
To keep those people out (and send them a message) I've implemented the following lines of code in config.asp, before the database is even opened.
What it does is this:
- it checks for the various numeric querystrings used by Snitz to see if they are numeric or not.
- if they're not empty but also not numeric, the user is redirected to a 401 page, which tells them that they're busted.
Example: http://oxle.com/topic.asp?topic_id=6205+lamehackattack$
(Warning, my 401 page is pretty rude... )
You can extend this with custom numeric querystrings used on your forum, for for example the blogmod, download mods etc.
'let us keep out the querystring injectors before we open up the SQL connection
if Request.QueryString("id") <> "" and IsNumeric(Request.QueryString("id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("TOPIC_ID") <> "" and IsNumeric(Request.QueryString("TOPIC_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("REPLY_ID") <> "" and IsNumeric(Request.QueryString("REPLY_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("forum_id") <> "" and IsNumeric(Request.QueryString("forum_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("cat_id") <> "" and IsNumeric(Request.QueryString("cat_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
'end of the querystring injectors protection
This code is put in config.asp above the line that starts with this:
dim strDBType,
Make sure you create a 401.asp page so that the viewer is notified he's being watched.
Or redirect to something else instead, that's also possible of course.
I've tried to get as many numeric querystrings in here as I could think of, but if you know one that I've missed, please let me know.
***** EDIT: code fixed, Carefree spotted a missing end if***** |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 17 October 2009 11:41:35 |
|
|
HuwR
Forum Admin
United Kingdom
20611 Posts |
Posted - 16 October 2009 : 10:29:38
|
| your forum should be perfectly safe without the need to do this, Snitz already ensures that a valid number is passed in order to prevent injection |
 |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 16 October 2009 : 10:34:16
|
Yes, I know.
But still, I want to send them a message....
BTW, I seem to have broken it, so I'm trying to figure out what's happening now...strange. |
portfolio - linkshrinker - oxle - twitter |
|
|
|
bobby131313
Senior Member
USA
1163 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20611 Posts |
Posted - 16 October 2009 : 12:07:36
|
quote:
Originally posted by MarcelG
Yes, I know.
But still, I want to send them a message....
BTW, I seem to have broken it, so I'm trying to figure out what's happening now...strange.
looks like it's working to me |
|
|
|
Etymon
Advanced Member
United States
2396 Posts |
|
|
Podge
Support Moderator
Ireland
3776 Posts |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 16 October 2009 : 13:57:06
|
quote:
Originally posted by Podge
Marcel, if you want to be thorough you should add a check to test if the value is numeric and greater than zero. Technically -1 is numeric but not valid as a Snitz querystring AFAIK.
It is valid for the whichpage variable IIRC... |
|
|
|
HuwR
Forum Admin
United Kingdom
20611 Posts |
Posted - 17 October 2009 : 03:07:14
|
| yes, -1 is valid for the whichpage variable |
|
|
|
Carefree
Advanced Member
Philippines
4224 Posts |
Posted - 17 October 2009 : 10:48:08
|
quote:
if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
You're missing an end if |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
|
|
Carefree
Advanced Member
Philippines
4224 Posts |
Posted - 15 December 2012 : 10:14:58
|
| LOL, revisiting old topics and clicked your 401 link. |
|
|
|
Giumer
Junior Member
Italy
163 Posts |
Posted - 15 December 2012 : 16:11:19
|
quote:
Originally posted by Carefree
LOL, revisiting old topics and clicked your 401 link.
mate you have 1 page 401.asp for me ?? thx |
=======================
http://www.Giumer.it/forum
======================= |
|
|
|
Carefree
Advanced Member
Philippines
4224 Posts |
Posted - 26 December 2012 : 02:59:18
|
| OK, I wrote one inspired by Marcel's. I captured the query strings (even if used on pages which don't contain forms or queries, e.g. default.asp?id='afab) and they are displayed on the 401 page. If the query contains an illegal character (for use in SQL injection attempts), the comment is changed to reflect that. I included an image appropriate to the occasion. You can get a copy on SnitzBitz. |
Edited by - Carefree on 26 December 2012 03:04:50 |
|
|
|
Giumer
Junior Member
Italy
163 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20611 Posts |
|
|
Topic |
|
Keeping the querystring-injectors out
