• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 660
  • Last Modified:

Website Security Check

Is there any way to have a site "looked at" to identify vulnerabilities?  I have several sites that are getting scripts inserted into my sql server db and I am not sure how it is happening.  I have a script in place that I thought handled that but it is clearly missing something.  Is there a service that allows me to post a url and then identifies vulnerabilities?
0
Bob Schneider
Asked:
Bob Schneider
4 Solutions
 
QPRCommented:
can you elaborate a bit? How do you mean scripts are getting inserted into your DB?
0
 
Bob SchneiderCo-OwnerAuthor Commented:
I don't know how they are getting in there but if I have a field in a sql server db that has a datatype of varchar and it has "room" (500 characters allowed, for instance), I find scripts in there occassionally.  It seems to me that my database structure has been identified and scripts are inserted somehow.
0
 
guitar7manCommented:
How's your input-validation on your forms? When you are parsing user-subbmited content, are you validating what they are giving you (i.e. a number is a number, an email address is a properly formed email address, etc)? Are you encoding special characters? I suspect this is where the problem is.

To drectly answer, yes there are services that can check *some* of this. I personally am not aware of any that are free though. McAfee Secure (formerly HackerSafe) comes to mind. There are other vulnerability scanners (tools) you could use that are open source - but that requires a bit of knowledge to use and won't tell you how to fix.... so your best bet is to go the service route. Costs money unfortuantely, but you could also just revist your input validation and make sure it's tight. Then see if anything else shows up in your DB.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
rajivvishwaCommented:
There are few things you need to do,

1. Change your database password
2. Check for the user permissions for tables and databases
3. It looks like your website is vulnerable to SQL Injection (owasp.org/index.php/SQL_Injection)
4. Check owasp.org for recommendations and pointers on secure coding (owasp.org/index.php/Secure_Coding_Principles)
5. Scan with various free tools (I dont know your dev platform)
** Web Vuln Tools **
a. Zeroday Online Scanner - http://www.zerodayscan.com/
b. WebSecurify - http://a4apphack.com/featured/websecurify-free-web-application-vulnerability-scanner
** SQLi Tools **
a. HP Scawlr - http://h30507.www3.hp.com/t5/The-HP-Security-Laboratory-Blog/Finding-SQL-Injection-with-Scrawlr/ba-p/30893
b. MS SCA for SQLi - http://blogs.msdn.com/b/sqlsecurity/archive/2008/06/24/microsoft-source-code-analyzer-for-sql-injection-june-2008-ctp.aspx

there are many others, google for details. All the best!
0
 
Bob SchneiderCo-OwnerAuthor Commented:
Here is my input validation:
1) When someone opens a page they are logged as follows:
[code]

'log this user if they are just entering the site
sql = "INSERT INTO AuthAccess(WhenHit, IPAddress, Page) VALUES ('" & Now() & "', '" & Request.ServerVariables("REMOTE_ADDR")
sql = sql & "', 'contact')"
Set rs = conn.Execute(sql)
Set rs = Nothing
[/code]

2) When they submit a form it is checked and, if they are recognized, their input is validated:

[code]
      'see if this user has entered from the form correctly within the past 20 minutes
      Set rs = Server.CreateObject("ADODB.Recordset")
      sql = "SELECT AuthAccessID FROM AuthAccess WHERE IPAddress = '" & Request.ServerVariables("REMOTE_ADDR")
      sql = sql & "' AND WhenHit >= '" & Now() - CSng(1/72) & "' AND Page = 'contact' ORDER BY AuthAccessID DESC"
      rs.Open sql, conn, 1, 2
      If rs.RecordCount > 0 Then Session("access_contact") = "y"
      rs.Close
      Set rs = Nothing

      If Session("access_contact") = "y" Then      'if they are an authorized user allow them to proceed
            Session.Contents.Remove("access_contact")
            
            sName = Request.Form.Item("name")
            If ValidateInput(sName) = False Then
                  sErrMsg = "I am sorry.  The information you have entered contains an illegal phrase and could not be sent.  If "
                  sErrMsg = sErrMsg & "you believe you have received this message in error please contact " & Session("school_name") & "."
            End If
            
            If sErrMsg = vbNullString Then
[/code]

3) Input Validation:

[code]
Private Function ValidateInput(sUserString)
      Dim sCharString

      ValidateInput = True

      For i = 1 To Len(sUserString) - 19
            If Mid(LCase(sUserString), i, 20) = "/script.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next

      For i = 1 To Len(sUserString) - 15
            If Mid(LCase(sUserString), i, 16) = "/js.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "insert into" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "delete from" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = ".update" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 9
            If Mid(LCase(sUserString), i, 10) = ";declare @" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = " union " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 5
            If Mid(LCase(sUserString), i, 6) = " drop " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
End Function
[/code]

I work in macromedia homesite and I use asp.

Thanks for any help!
0
 
rajivvishwaCommented:
The input validation methods you have followed can easily be bypassed and there are various methods to do so.
Please check ESAPI developed by OWASP (Open Source, is very mature) and any other commerical solutions available.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

P.S. Sorry for the delay in response.
0
 
Bob SchneiderCo-OwnerAuthor Commented:
i used a field script found above to filter metacharacters andl I have installed acunetix web scanner (free edition) and looked at all pages where forms are submitted and it tells me there is no vulnerability.  I am still getting scripts injected.  I have written a "script cleaner" that is effective in removing them and I am running it every hour on my server.  But I want to keep them out altogether.  I will keep working on that.

The bottom line is i have no idea how it is getting in there.....

In the interim can I use the replace function to ensure that these scripts never get to the end user when a page is opened?  I am thinking about trying to use Replace(sString, "<script" & * & "</script>", ""> in the sql query that pulls text from the db so that it does not get to the end user.  I am using classic asp and sql server.
0
 
Bob SchneiderCo-OwnerAuthor Commented:
I am more than happy to divide points based on what i have been given but I am waiting to see if my final post can be responded to.  This is a serious issue for me so I am hoping to get some more help.

Thanks!
0
 
TolomirAdministratorCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now