Solved

Website Security Check

Posted on 2010-09-22
10
644 Views
Last Modified: 2012-05-10
Is there any way to have a site "looked at" to identify vulnerabilities?  I have several sites that are getting scripts inserted into my sql server db and I am not sure how it is happening.  I have a script in place that I thought handled that but it is clearly missing something.  Is there a service that allows me to post a url and then identifies vulnerabilities?
0
Comment
Question by:Bob Schneider
10 Comments
 
LVL 29

Accepted Solution

by:
QPR earned 125 total points
ID: 33732854
can you elaborate a bit? How do you mean scripts are getting inserted into your DB?
0
 

Author Comment

by:Bob Schneider
ID: 33732889
I don't know how they are getting in there but if I have a field in a sql server db that has a datatype of varchar and it has "room" (500 characters allowed, for instance), I find scripts in there occassionally.  It seems to me that my database structure has been identified and scripts are inserted somehow.
0
 
LVL 3

Assisted Solution

by:guitar7man
guitar7man earned 125 total points
ID: 33733881
How's your input-validation on your forms? When you are parsing user-subbmited content, are you validating what they are giving you (i.e. a number is a number, an email address is a properly formed email address, etc)? Are you encoding special characters? I suspect this is where the problem is.

To drectly answer, yes there are services that can check *some* of this. I personally am not aware of any that are free though. McAfee Secure (formerly HackerSafe) comes to mind. There are other vulnerability scanners (tools) you could use that are open source - but that requires a bit of knowledge to use and won't tell you how to fix.... so your best bet is to go the service route. Costs money unfortuantely, but you could also just revist your input validation and make sure it's tight. Then see if anything else shows up in your DB.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Assisted Solution

by:rajivvishwa
rajivvishwa earned 250 total points
ID: 33737091
There are few things you need to do,

1. Change your database password
2. Check for the user permissions for tables and databases
3. It looks like your website is vulnerable to SQL Injection (owasp.org/index.php/SQL_Injection)
4. Check owasp.org for recommendations and pointers on secure coding (owasp.org/index.php/Secure_Coding_Principles)
5. Scan with various free tools (I dont know your dev platform)
** Web Vuln Tools **
a. Zeroday Online Scanner - http://www.zerodayscan.com/
b. WebSecurify - http://a4apphack.com/featured/websecurify-free-web-application-vulnerability-scanner
** SQLi Tools **
a. HP Scawlr - http://h30507.www3.hp.com/t5/The-HP-Security-Laboratory-Blog/Finding-SQL-Injection-with-Scrawlr/ba-p/30893
b. MS SCA for SQLi - http://blogs.msdn.com/b/sqlsecurity/archive/2008/06/24/microsoft-source-code-analyzer-for-sql-injection-june-2008-ctp.aspx

there are many others, google for details. All the best!
0
 

Author Comment

by:Bob Schneider
ID: 33740225
Here is my input validation:
1) When someone opens a page they are logged as follows:
[code]

'log this user if they are just entering the site
sql = "INSERT INTO AuthAccess(WhenHit, IPAddress, Page) VALUES ('" & Now() & "', '" & Request.ServerVariables("REMOTE_ADDR")
sql = sql & "', 'contact')"
Set rs = conn.Execute(sql)
Set rs = Nothing
[/code]

2) When they submit a form it is checked and, if they are recognized, their input is validated:

[code]
      'see if this user has entered from the form correctly within the past 20 minutes
      Set rs = Server.CreateObject("ADODB.Recordset")
      sql = "SELECT AuthAccessID FROM AuthAccess WHERE IPAddress = '" & Request.ServerVariables("REMOTE_ADDR")
      sql = sql & "' AND WhenHit >= '" & Now() - CSng(1/72) & "' AND Page = 'contact' ORDER BY AuthAccessID DESC"
      rs.Open sql, conn, 1, 2
      If rs.RecordCount > 0 Then Session("access_contact") = "y"
      rs.Close
      Set rs = Nothing

      If Session("access_contact") = "y" Then      'if they are an authorized user allow them to proceed
            Session.Contents.Remove("access_contact")
            
            sName = Request.Form.Item("name")
            If ValidateInput(sName) = False Then
                  sErrMsg = "I am sorry.  The information you have entered contains an illegal phrase and could not be sent.  If "
                  sErrMsg = sErrMsg & "you believe you have received this message in error please contact " & Session("school_name") & "."
            End If
            
            If sErrMsg = vbNullString Then
[/code]

3) Input Validation:

[code]
Private Function ValidateInput(sUserString)
      Dim sCharString

      ValidateInput = True

      For i = 1 To Len(sUserString) - 19
            If Mid(LCase(sUserString), i, 20) = "/script.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next

      For i = 1 To Len(sUserString) - 15
            If Mid(LCase(sUserString), i, 16) = "/js.js></script>" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "insert into" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 10
            If Mid(LCase(sUserString), i, 11) = "delete from" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = ".update" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 9
            If Mid(LCase(sUserString), i, 10) = ";declare @" Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 6
            If Mid(LCase(sUserString), i, 7) = " union " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
      
      For i = 1 To Len(sUserString) - 5
            If Mid(LCase(sUserString), i, 6) = " drop " Then
                  ValidateInput = False
                  Exit Function
            End If
      Next
End Function
[/code]

I work in macromedia homesite and I use asp.

Thanks for any help!
0
 
LVL 4

Assisted Solution

by:rajivvishwa
rajivvishwa earned 250 total points
ID: 33749155
The input validation methods you have followed can easily be bypassed and there are various methods to do so.
Please check ESAPI developed by OWASP (Open Source, is very mature) and any other commerical solutions available.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

P.S. Sorry for the delay in response.
0
 

Author Comment

by:Bob Schneider
ID: 33817076
i used a field script found above to filter metacharacters andl I have installed acunetix web scanner (free edition) and looked at all pages where forms are submitted and it tells me there is no vulnerability.  I am still getting scripts injected.  I have written a "script cleaner" that is effective in removing them and I am running it every hour on my server.  But I want to keep them out altogether.  I will keep working on that.

The bottom line is i have no idea how it is getting in there.....

In the interim can I use the replace function to ensure that these scripts never get to the end user when a page is opened?  I am thinking about trying to use Replace(sString, "<script" & * & "</script>", ""> in the sql query that pulls text from the db so that it does not get to the end user.  I am using classic asp and sql server.
0
 

Author Comment

by:Bob Schneider
ID: 34079455
I am more than happy to divide points based on what i have been given but I am waiting to see if my final post can be responded to.  This is a serious issue for me so I am hoping to get some more help.

Thanks!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34079470
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question