tags:

views:

333

answers:

2
+2  Q: 

Detect URL Abuse and Hack Attempts.

I have a website that seems to get more than it's fair share of hacking attempts. It has not been broken yet, but I'd like to build into the system a good way to detect the attempt and block the IP.

Would the best way to detect this be to simply do a string search for phrases like "varchar" and "sysobjects"?

Offending URL: http://www.example.com/default.aspx?id=58 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

Source: System.Web

Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.

User IP: 187.13.142.33

User Browser: Unknown 0.0

User OS: Unknown

Stack trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously)

+1  A: 

Would the best way to detect this be to simply do a string search for phrases like "varchar" and "sysobjects"?

Not if you're going to immediately throw an exception when you see them... then you'd be breaking your application if the user decided they wanted to eg. search your site for information about varchars.

If your application is properly written, “XSS protection” hacks like this provide nothing except these occasional breakages. If your application isn't properly written, the ‘protection’ is at best an ineffective obfuscation.

You could certainly log requests that look like they might be attacks so you can go through and review attacker IPs later. Unfortunately this tends not to be as much use as you might think, as so many of the attack scripts are running on networks of compromised servers and botnet trojans, with a huge selection of IP addresses to choose from.

bobince  2009-11-10 20:36:32
However, I don't use site search in this app, so no one would be doing that, and if I did, I would not be using the querystring for the search. Would this make a difference?Also, can you point me in the right direction for "XSS Protection"
rockinthesixstring  2009-11-10 20:39:58
It's not specific to search, I'm just saying blocking access when there are keywords you think are bad can easily have negative consequences you didn't immediately think of. I have no clue what your application does so I can't give you a specific example but if StackOverflow enabled the hopeless broken XSS protection feature that's on by default in ASP.NET (one of Microsoft's worse decisions), we wouldn't be able to have this conversation as we'd be triggering block rules left right and centre. The correct direction to head for “XSS Protection” is away from it, as fast as possible.
bobince  2009-11-10 22:31:58
So I'm still looking for an alternative solution. My app is a CMS similar to Sitefinity. I am using URL Rewriting, but hackers still try and insert SQL into the Querystring. Also, not sure if it matters, but I am using parametrized stored procedures and LINQ to build the classes and execute them. I just want to block the traffic all together, this is why I was thinking of doing the string search, logging the attack and then redirecting them to Google.
rockinthesixstring  2009-11-11 17:30:04
If your application is secure, what are you hoping to gain by this? Automated bot hacks don't care how you respond to them; the only people to whom this will make a difference are genuine users you block due to false positives.
bobince  2009-11-11 18:54:23
A: 

If you really want to detect (and eventually block) the intruders, perhaps going an alternate route and install a Firewall with an intrusion protection system would be helpful. Especially if the firewall could be block the offending host for a short while. Afaik Astaro has such a system. This way, the application is physically isolated with the intrusion detection logic, and cannot (easily) compromise each other.

On topic, I think the best way to handle SQL injection is to log the attempt, not block it. Of course, you should first let the system undergo a thorough code-inspection to find any loose ends. Be sure to sanitize all tainted data (from user input or otherwise), use parameterized queries and code defensively.

Sune Rievers  2009-11-13 16:41:42

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps