?
Solved

Website Security Check

Posted on 2010-09-22
10
Medium Priority
?
651 Views
Last Modified: 2012-05-10
Is there any way to have a site "looked at" to identify vulnerabilities?  I have several sites that are getting scripts inserted into my sql server db and I am not sure how it is happening.  I have a script in place that I thought handled that but it is clearly missing something.  Is there a service that allows me to post a url and then identifies vulnerabilities?
0
Comment
Question by:Bob Schneider
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 29

Accepted Solution

by:
QPR earned 500 total points
ID: 33732854
can you elaborate a bit? How do you mean scripts are getting inserted into your DB?
0
 

Author Comment

by:Bob Schneider
ID: 33732889
I don't know how they are getting in there but if I have a field in a sql server db that has a datatype of varchar and it has "room" (500 characters allowed, for instance), I find scripts in there occassionally.  It seems to me that my database structure has been identified and scripts are inserted somehow.
0
 
LVL 3

Assisted Solution

by:guitar7man
guitar7man earned 500 total points
ID: 33733881
How's your input-validation on your forms? When you are parsing user-subbmited content, are you validating what they are giving you (i.e. a number is a number, an email address is a properly formed email address, etc)? Are you encoding special characters? I suspect this is where the problem is.

To drectly answer, yes there are services that can check *some* of this. I personally am not aware of any that are free though. McAfee Secure (formerly HackerSafe) comes to mind. There are other vulnerability scanners (tools) you could use that are open source - but that requires a bit of knowledge to use and won't tell you how to fix.... so your best bet is to go the service route. Costs money unfortuantely, but you could also just revist your input validation and make sure it's tight. Then see if anything else shows up in your DB.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Assisted Solution

by:rajivvishwa
rajivvishwa earned 1000 total points
ID: 33737091
There are few things you need to do,

1. Change your database password
2. Check for the user permissions for tables and databases
3. It looks like your website is vulnerable to SQL Injection (owasp.org/index.php/SQL_Injection)
4. Check owasp.org for recommendations and pointers on secure coding (owasp.org/index.php/Secure_Coding_Principles)
5. Scan with various free tools (I dont know your dev platform)
** Web Vuln Tools **
a. Zeroday Online Scanner - http://www.zerodayscan.com/
b. WebSecurify - http://a4apphack.com/featured/websecurify-free-web-application-vulnerability-scanner
** SQLi Tools **
a. HP Scawlr - http://h30507.www3.hp.com/t5/The-HP-Security-Laboratory-Blog/Finding-SQL-Injection-with-Scrawlr/ba-p/30893
b. MS SCA for SQLi - http://blogs.msdn.com/b/sqlsecurity/archive/2008/06/24/microsoft-source-code-analyzer-for-sql-injection-june-2008-ctp.aspx

there are many others, google for details. All the best!
0
 

Author Comment

by:Bob Schneider
ID: 33740225
Here is my input validation:
1) When someone opens a page they are logged as follows:
[code]

'log this user if they are just entering the site
sql = "INSERT INTO AuthAccess(WhenHit, IPAddress, Page) VALUES ('" & Now() & "', '" & Request.ServerVariables("REMOTE_ADDR")
sql = sql & "', 'contact')"
Set rs = conn.Execute(sql)
Set rs = Nothing
[/code]

2) When they submit a form it is checked and, if they are recognized, their input is validated:

[code]
      'see if this user has entered from the form correctly within the past 20 minutes
      Set rs = Server.CreateObject("ADODB.Recordset")
      sql = "SELECT AuthAccessID FROM AuthAccess WHERE IPAddress = '" & Request.ServerVariables("REMOTE_ADDR")
      sql = sql & "' AND WhenHit >= '" & Now() - CSng(1/72) & "' AND Page = 'contact' ORDER BY AuthAccessID DESC"
      rs.Open sql, conn, 1, 2
      If rs.RecordCount > 0 Then Session("access_contact") = "y"
      rs.Close
      Set rs = Nothing

      If Session("access_contact") = "y" Then      'if they are an authorized user allow them to proceed
            Session.Contents.Remove("access_contact")
            
            sName = Request.Form.Item("name")
            If ValidateInput(sName) = False Then
                  sErrMsg = "I am sorry.  The information you have entered contains an illegal phrase and could not be sent.  If "
                  sErrMsg = sErrMsg & "you believe you have received this message in error please contact " & Session("school_name") & "."
            End If
            
            If sErrMsg = vbNullString Then
[/code]

3) Input Validation:

[code]
Private Function ValidateInput(sUserString)
      Dim sCharString

      ValidateInput = True

      For i = 1 To Len(sUserString) - 19
            If Mid(LCase(sUserString), i, 20) = "/script.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next

      For i = 1 To Len(sUserString) - 15
            If Mid(LCase(sUserString), i, 16) = "/js.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "insert into" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "delete from" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = ".update" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 9
            If Mid(LCase(sUserString), i, 10) = ";declare @" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = " union " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 5
            If Mid(LCase(sUserString), i, 6) = " drop " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
End Function
[/code]

I work in macromedia homesite and I use asp.

Thanks for any help!
0
 
LVL 4

Assisted Solution

by:rajivvishwa
rajivvishwa earned 1000 total points
ID: 33749155
The input validation methods you have followed can easily be bypassed and there are various methods to do so.
Please check ESAPI developed by OWASP (Open Source, is very mature) and any other commerical solutions available.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

P.S. Sorry for the delay in response.
0
 

Author Comment

by:Bob Schneider
ID: 33817076
i used a field script found above to filter metacharacters andl I have installed acunetix web scanner (free edition) and looked at all pages where forms are submitted and it tells me there is no vulnerability.  I am still getting scripts injected.  I have written a "script cleaner" that is effective in removing them and I am running it every hour on my server.  But I want to keep them out altogether.  I will keep working on that.

The bottom line is i have no idea how it is getting in there.....

In the interim can I use the replace function to ensure that these scripts never get to the end user when a page is opened?  I am thinking about trying to use Replace(sString, "<script" & * & "</script>", ""> in the sql query that pulls text from the db so that it does not get to the end user.  I am using classic asp and sql server.
0
 

Author Comment

by:Bob Schneider
ID: 34079455
I am more than happy to divide points based on what i have been given but I am waiting to see if my final post can be responded to.  This is a serious issue for me so I am hoping to get some more help.

Thanks!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34079470
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question