Link to home
Start Free TrialLog in
Avatar of erikTsomik
erikTsomikFlag for United States of America

asked on

Protect the URL

Security issue. I am being spammed in the url .

the url looks like this 

http://www.testing.com/myTest.cfm?action=add_item&item=PK%3A39&product=1%29%20AND%205435%3DCONVERT%28INT%2C%28SELECT%20CHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28113%29%2BCHAR%28113%29%2B%28SELECT%20SUBSTRING%28%28ISNULL%28CAST%28count%28%2A%29%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%29%2C1%2C1024%29%20FROM%20upcomingEventsAttendance%20WHERE%20grade%20like%20CHAR%2837%29%2BCHAR%2899%29%2BCHAR%2897%29%2BCHAR%28114%29%2BCHAR%28100%29%2BCHAR%28110%29%2BCHAR%28117%29%2BCHAR%28109%29%2BCHAR%2898%29%2BCHAR%28101%29%2BCHAR%28114%29%2BCHAR%2837%29%20and%20grade%20like%20CHAR%2837%29%2BCHAR%2891%29%2BCHAR%2852%29%2BCHAR%2845%29%2BCHAR%2853%29%2BCHAR%2893%29%2BCHAR%2891%29%2BCHAR%2848%29%2BCHAR%2845%29%2BCHAR%2857%29%2BCHAR%2893%29%2BCHAR%2891%29%2BCHAR%2848%29%2BCHAR%2845%29%2BCHAR%2857%29%2BCHAR%2893%29%2BCHAR%2891%29%2BCHAR%2848%29%2BCHAR%2845%29%2BCHAR%2857%29%2BCHAR%2893%29%2BCHAR%2837%29%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28113%29%29%29--%20glyF&session=168696&state=CA

Open in new window

Avatar of Ryan Chong
Ryan Chong
Flag of Singapore image
not too sure about your question, but in general to protect an URL, you could:

  • use POST instead of GET for page processing
  • implement the Page Authentication, such as Basic, Bearer, JWT Authentication etc.
Avatar of erikTsomik
erikTsomik
Flag of United States of America image

ASKER

I am using ColdFusion as Server side language. And start getting error message as somebody is trying to hack my site by implementing the URL 
Avatar of Ryan Chong
Ryan Chong
Flag of Singapore image
so, perhaps you should implement some website hardening or penetration test to your web portal

as a start:

Top 10 Website Hardening Tips
https://blog.sucuri.net/2019/10/top-10-website-hardening-tips.html

Beginners Guide To Web Application Penetration Testing
https://www.softwaretestinghelp.com/getting-started-with-web-application-penetration-testing/
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image
That looks like a SQL injection attack.  This attack is effective only if you don't sanitize your URL query strings before you build your SQL queries.  Adobe has advice on how to address the issue.  You should read up on it and take any necessary steps to sanitize your inputs.
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image
How you are you seeing this?  I do 404 tracking on websites that I support.  A moderately busy site gets 100 to 1500 accesses a day for pages that don't exist.
Avatar of erikTsomik
erikTsomik
Flag of United States of America image

ASKER

the page does exists. but I need to disinfect the URL not to process . It is a purely SQL injection attack 
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial