Solved

Website Security Check

Posted on 2010-09-22
10
641 Views
Last Modified: 2012-05-10
Is there any way to have a site "looked at" to identify vulnerabilities?  I have several sites that are getting scripts inserted into my sql server db and I am not sure how it is happening.  I have a script in place that I thought handled that but it is clearly missing something.  Is there a service that allows me to post a url and then identifies vulnerabilities?
0
Comment
Question by:Bob Schneider
10 Comments
 
LVL 29

Accepted Solution

by:
QPR earned 125 total points
Comment Utility
can you elaborate a bit? How do you mean scripts are getting inserted into your DB?
0
 

Author Comment

by:Bob Schneider
Comment Utility
I don't know how they are getting in there but if I have a field in a sql server db that has a datatype of varchar and it has "room" (500 characters allowed, for instance), I find scripts in there occassionally.  It seems to me that my database structure has been identified and scripts are inserted somehow.
0
 
LVL 3

Assisted Solution

by:guitar7man
guitar7man earned 125 total points
Comment Utility
How's your input-validation on your forms? When you are parsing user-subbmited content, are you validating what they are giving you (i.e. a number is a number, an email address is a properly formed email address, etc)? Are you encoding special characters? I suspect this is where the problem is.

To drectly answer, yes there are services that can check *some* of this. I personally am not aware of any that are free though. McAfee Secure (formerly HackerSafe) comes to mind. There are other vulnerability scanners (tools) you could use that are open source - but that requires a bit of knowledge to use and won't tell you how to fix.... so your best bet is to go the service route. Costs money unfortuantely, but you could also just revist your input validation and make sure it's tight. Then see if anything else shows up in your DB.
0
 
LVL 4

Assisted Solution

by:rajivvishwa
rajivvishwa earned 250 total points
Comment Utility
There are few things you need to do,

1. Change your database password
2. Check for the user permissions for tables and databases
3. It looks like your website is vulnerable to SQL Injection (owasp.org/index.php/SQL_Injection)
4. Check owasp.org for recommendations and pointers on secure coding (owasp.org/index.php/Secure_Coding_Principles)
5. Scan with various free tools (I dont know your dev platform)
** Web Vuln Tools **
a. Zeroday Online Scanner - http://www.zerodayscan.com/
b. WebSecurify - http://a4apphack.com/featured/websecurify-free-web-application-vulnerability-scanner
** SQLi Tools **
a. HP Scawlr - http://h30507.www3.hp.com/t5/The-HP-Security-Laboratory-Blog/Finding-SQL-Injection-with-Scrawlr/ba-p/30893
b. MS SCA for SQLi - http://blogs.msdn.com/b/sqlsecurity/archive/2008/06/24/microsoft-source-code-analyzer-for-sql-injection-june-2008-ctp.aspx

there are many others, google for details. All the best!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Bob Schneider
Comment Utility
Here is my input validation:
1) When someone opens a page they are logged as follows:
[code]

'log this user if they are just entering the site
sql = "INSERT INTO AuthAccess(WhenHit, IPAddress, Page) VALUES ('" & Now() & "', '" & Request.ServerVariables("REMOTE_ADDR")
sql = sql & "', 'contact')"
Set rs = conn.Execute(sql)
Set rs = Nothing
[/code]

2) When they submit a form it is checked and, if they are recognized, their input is validated:

[code]
      'see if this user has entered from the form correctly within the past 20 minutes
      Set rs = Server.CreateObject("ADODB.Recordset")
      sql = "SELECT AuthAccessID FROM AuthAccess WHERE IPAddress = '" & Request.ServerVariables("REMOTE_ADDR")
      sql = sql & "' AND WhenHit >= '" & Now() - CSng(1/72) & "' AND Page = 'contact' ORDER BY AuthAccessID DESC"
      rs.Open sql, conn, 1, 2
      If rs.RecordCount > 0 Then Session("access_contact") = "y"
      rs.Close
      Set rs = Nothing

      If Session("access_contact") = "y" Then      'if they are an authorized user allow them to proceed
            Session.Contents.Remove("access_contact")
            
            sName = Request.Form.Item("name")
            If ValidateInput(sName) = False Then
                  sErrMsg = "I am sorry.  The information you have entered contains an illegal phrase and could not be sent.  If "
                  sErrMsg = sErrMsg & "you believe you have received this message in error please contact " & Session("school_name") & "."
            End If
            
            If sErrMsg = vbNullString Then
[/code]

3) Input Validation:

[code]
Private Function ValidateInput(sUserString)
      Dim sCharString

      ValidateInput = True

      For i = 1 To Len(sUserString) - 19
            If Mid(LCase(sUserString), i, 20) = "/script.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next

      For i = 1 To Len(sUserString) - 15
            If Mid(LCase(sUserString), i, 16) = "/js.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "insert into" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "delete from" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = ".update" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 9
            If Mid(LCase(sUserString), i, 10) = ";declare @" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = " union " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 5
            If Mid(LCase(sUserString), i, 6) = " drop " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
End Function
[/code]

I work in macromedia homesite and I use asp.

Thanks for any help!
0
 
LVL 4

Assisted Solution

by:rajivvishwa
rajivvishwa earned 250 total points
Comment Utility
The input validation methods you have followed can easily be bypassed and there are various methods to do so.
Please check ESAPI developed by OWASP (Open Source, is very mature) and any other commerical solutions available.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

P.S. Sorry for the delay in response.
0
 

Author Comment

by:Bob Schneider
Comment Utility
i used a field script found above to filter metacharacters andl I have installed acunetix web scanner (free edition) and looked at all pages where forms are submitted and it tells me there is no vulnerability.  I am still getting scripts injected.  I have written a "script cleaner" that is effective in removing them and I am running it every hour on my server.  But I want to keep them out altogether.  I will keep working on that.

The bottom line is i have no idea how it is getting in there.....

In the interim can I use the replace function to ensure that these scripts never get to the end user when a page is opened?  I am thinking about trying to use Replace(sString, "<script" & * & "</script>", ""> in the sql query that pulls text from the db so that it does not get to the end user.  I am using classic asp and sql server.
0
 

Author Comment

by:Bob Schneider
Comment Utility
I am more than happy to divide points based on what i have been given but I am waiting to see if my final post can be responded to.  This is a serious issue for me so I am hoping to get some more help.

Thanks!
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now