Top ASP 101 Stories VBScript Classes: Part 1 of N Migrating to ASP.NET Getting Scripts to Run on a Schedule QUICK TIP: The big picture Show All Tips >>  ASP 101 Updates

Some Simple Tips To Help Prevent Security Breaches

Outline

Validate user input before using it for processing/display

• Avoid displaying values entered by user directly from request object.
• Restrict HTML tags from user input.
• Do not directly pass user input to SQL Stored procedures from asp without filtering.

Protect the website from bugs and vulnerabilities

• Create a Batch File and run it on website log files regularly for tracking IP Address of Potential hackers.
• Subscribe to Microsoft security bulletin email alert and install latest security patches.

Introduction

Today more and more corporates are adopting Internet as a model of doing business and communicating with there clients, on one hand Internet has brought transparency and convenience it has also raised serious questions relating to security and privacy.

My five years in the software field has taught me that there is nothing like 100% software security and its a myth, I had seen people hacking into network systems by changing registry entries, control networks using TCP/IP based utilities, read daily activities of un-suspecting computer users by installing key logger software, getting access to asp website database login and password by simply manipulating URL referring to global.asa in the browser etc.

Most of the companies running websites do not even take preventive measures from getting hacked leave alone having a website security policy.

By this article I want to highlight the importance of preventive steps one can take from getting hacked.

Validate user input before using it for processing/display

1. Avoid displaying values entered by user directly from request object

Consider following Example:

Create an ASP File by name request_test.asp and paste in it following code to display request object value directly.

'***** File Name:request_test.asp ****** 
response.write request("value") 
'***** End of File ********************* 

Type the following url: http://yourserver/request_test.asp?value=%

Following is the output: ÿLM/W3SVC/1/Root

Instead of returning % as output, IIS web service root is displayed there are few more such instances where certain combination of values will reveal information relating to your iis.

Webmaster's Note: I've been unable to reproduce this behavior on WinNT 4 or Win2000. Nevertheless, the point of checking for valid input before using it is an extremely valid one.

Try to avoid direct value display from request object. It is also not a good programming practice to repeatedly call request object and strain web server resources try to minimize its usage.

2. Restrict HTML tags as user input

It is quite easy to execute client side / server side scripts from a normal looking hyper link submitted on the website by the user. Restrict the html tags you want user to use on your site by writing a filter function, Some programmers think that blocking '<' and '>' using a function will stop users from running html tags on the website, that is not always the case, be aware that Internet Explorer interprets '+ADwK-', 'lt;' as '<' and 'gt;' as '>' tag.

Write the filter function using server side scripting only, if you write it using client side Scripting user can easily bypass it by changing browser setting.

3. Do not directly pass user input to SQL Stored procedures from asp without filtering

Some ASP Developers have the habit of directly passing request object value to sql stored procedure without filtering the content of the request object, asp developers must be aware that an malicious user can pass in a wild card character('%','_') which is permitted in sql and retreive all the records from the sql table.

This can be easily noticed in search facility provided by most of the websites, instead of typing alpha numeric characters to search, just type %_% and click on search button, it will return you all the records from the searched table, a good habit is to filter this wildcard characters from user input.

Protect the website from bugs and vulnerabilities

1. Create a Batch File and run it on website log file regularly for tracking IP Address of Potential hackers and block them

Add the following lines to your batch file, they are some of the keywords used by hackers to break into your system or to do DOS attack:

find /i "msadcs" logfile.log 
find /i ".htr" logfile.log 
find /i ".ida" logfile.log 
find /i ".null.htw" logfile.log 
find /i "$DATA" logfile.log 

2. Subscribe to Microsoft security bulletin email alert and install latest security patches

Send a blank email to microsoft_security-subscribe-request@announce.microsoft.com and get subscribed to security bulletin from Microsoft relating to bugs and vulnerabilities and their fixes for Microsoft products and apply the patches on your web server when required.

End of the Part One of the Article