The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
I'm a bit paranoia when it gets to websitesecurity.
I often see people active on my websites who are trying to perform strange pagerequests, with stuff like TOPIC_ID=100+1+1+AND' etc.
To keep those people out (and send them a message) I've implemented the following lines of code in config.asp, before the database is even opened.
What it does is this:
- it checks for the various numeric querystrings used by Snitz to see if they are numeric or not. - if they're not empty but also not numeric, the user is redirected to a 401 page, which tells them that they're busted.
Example: http://oxle.com/topic.asp?topic_id=6205+lamehackattack$
(Warning, my 401 page is pretty rude...
)
You can extend this with custom numeric querystrings used on your forum, for for example the blogmod, download mods etc.
This code is put in config.asp above the line that starts with this:
Make sure you create a 401.asp page so that the viewer is notified he's being watched. Or redirect to something else instead, that's also possible of course.
I've tried to get as many numeric querystrings in here as I could think of, but if you know one that I've missed, please let me know.
***** EDIT: code fixed, Carefree spotted a missing end if*****
- it checks for the various numeric querystrings used by Snitz to see if they are numeric or not. - if they're not empty but also not numeric, the user is redirected to a 401 page, which tells them that they're busted.
Example: http://oxle.com/topic.asp?topic_id=6205+lamehackattack$
(Warning, my 401 page is pretty rude...
)You can extend this with custom numeric querystrings used on your forum, for for example the blogmod, download mods etc.
Code:
'let us keep out the querystring injectors before we open up the SQL connection
if Request.QueryString("id") <> "" and IsNumeric(Request.QueryString("id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("whichpage") <> "" and IsNumeric(Request.QueryString("whichpage")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("TOPIC_ID") <> "" and IsNumeric(Request.QueryString("TOPIC_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("REPLY_ID") <> "" and IsNumeric(Request.QueryString("REPLY_ID")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("forum_id") <> "" and IsNumeric(Request.QueryString("forum_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
if Request.QueryString("cat_id") <> "" and IsNumeric(Request.QueryString("cat_id")) = false then
Response.Status="401 Access denied"
response.redirect "401.asp"
Response.End
end if
'end of the querystring injectors protectionCode:
dim strDBType, Make sure you create a 401.asp page so that the viewer is notified he's being watched. Or redirect to something else instead, that's also possible of course.
I've tried to get as many numeric querystrings in here as I could think of, but if you know one that I've missed, please let me know.
***** EDIT: code fixed, Carefree spotted a missing end if*****
Posted
LOL, revisiting old topics and clicked your 401 link.
Posted
Originally posted by Carefree
LOL, revisiting old topics and clicked your 401 link.
mate you have 1 page 401.asp for me ?? thx
Posted
OK, I wrote one inspired by Marcel's. I captured the query strings (even if used on pages which don't contain forms or queries, e.g. default.asp?id='afab) and they are displayed on the 401 page. If the query contains an illegal character (for use in SQL injection attempts), the comment is changed to reflect that. I included an image appropriate to the occasion. You can get a copy on SnitzBitz.
Posted
ok !! Grazie !! test !! http://giumer.it/forum/topic.asp?topic_id=6205+lamehackattack$
Posted
strictly speaking you should be issuing a 400 Bad Request not a 401 Unauthorized
Posted
but the page does not mean 404 page not found?
Posted
Originally posted by Giumer
but the page does not mean 404 page not found?
No. The page is found, but the query string passed isn't allowed. If you want a custom 404 page, that's a whole different topic.
Posted
Unauthorized normally implies it has failed authentication, but in fact you are failing it due to bad request parameters being passed not because it is failing any kind of authentication.
Posted
Originally posted by Giumer
ok !! Grazie !! test !! http://giumer.it/forum/topic.asp?topic_id=6205+lamehackattack$
Works perfectly (in my opinion LOL). Testing it as "http://giumer.it/forum/default.asp?id=!#test" results in the attempted hack message.