If you are a website owner or developer, you are probably aware of the threat of hackers. There are many ways to protect your database-driven ASP or PHP website from hacker attacks, ranging from weak to strong security measures. Here you will learn about the most common and effective ways to slow down hackers who use methods like SQL injection attacks and XSS (cross-site scripting) via the URL querystring and form inputs. Two general types of hacker blocking techniques are discussed, including custom error pages and input validation. These methods are simple enough that you can do it yourself with only basic coding knowledge. Your best strategy would be to put up a combination of as many little obstacles as possible.
Things You'll Need:
- Basic HTML coding skills
- Basic programming skills, such as ASP
- Basic database skills, such as SQL
- Access to website host, files and FTP
- SQL database-driven websites are at risk.
Any web page which passes parameters to a database can be vulnerable to attacks. This includes e-commerce shopping carts or any other website that has a form for login, search, etc. Any SQL database-driven website is at risk of hackers who may be able to enter into the database through a back door. Usually these back doors are present in URL querystrings and form inputs, such as Login forms, Search forms, or other user input textboxes that can communicate with a database.
- An overview of hacking.
Generally, a hacker can enter bogus characters into the URL querystring or a textbox. The bogus input is then interpreted as SQL rather than ordinary user data and is executed by the unsuspecting database. As a result, the website may break and display an error, allowing the hacker to glean private information about the database. Even worse, the hacker's hazardous scripts may actually be executed on the database, causing security breaches and/or permanent damage.
- How hackers do it.
The first goal of a hacker is to repeatedly try to break a website, causing it to display a variety of valuable errors that give away private database details. In this way, he can gain insight into the structure of the database and ultimately create a map or footprint of all its tables and columns. The second goal of the hacker is to actually manipulate the database by executing scripts in malicious ways. With control over the database, the hacker may possibly steal credit card numbers, erase data or infect it with viruses, among other nasty things. In essence, the URL querystring and textbox are the two backdoors into a database. Getting errors and manipulating the backdoors are the two methods used by hackers to ultimately destroy a database.
- Hack your own website.Let's look at how a hacker might go about breaking into a website. Using the first technique described, he can hack the URL querystring and cause an error to be displayed. You can do a simple test to hack into your own website via the URL querystring. All you have to do is type something else directly into the address bar at the end of your querystring.
Type your URL like the following example and press enter:http://www.mywebsite.com/bookreports.asp?reportID=21
Now simply add a single quote to the end the querystring and press enter:
http://www.mywebsite.com/bookreports.asp?reportID=21'
- Generate an error.
As predicted, you may have successfully broken your website and received an error as follows.
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ' AND users.userID=reports.reportsID'.
/bookreports.asp, line 20
The single quote causes an unclosed quotation mark error and now the once-secret table names and column names of your database are publicly visible. After generating a series of these kinds of valuable errors, a hacker can piece together private database details which will ultimately help him break into and wreak havoc on the database.
- Hide website errors.
The top most effective solution for keeping the private details of your database from getting into the hands of a hacker is to setup a custom error page for your website. This way, a hacker will never see any detailed error messages. If you do nothing else, this is the number one thing that every website must have. Otherwise, you are giving the hacker an open invitation into your database and practically offering him all the information he needs to launch an attack.
- Setup custom error pages.
Some hosting services automatically use custom error pages to help protect your security. To setup your own custom error page, you will need to consult your web host for instructions. Generally, you will create a new HTML page to look the way you please and that says something short and sweet, like 'Sorry, the page you have requested is unavailable.' Then save it as error404.htm and upload it to your server. Following the instructions from your host, you will change the website settings to point to the new error page. This will stop many hackers right in their tracks.
- Manipulate the URL querystring.
Besides fishing for errors, a hacker can enter even more dangerous code than a simple single quote into the URL querystring. In an effort to execute malicious scripts on a database, a variety of creative coding is employed, such as %20HAVING%201=1 or maybe %20;shutdown with no wait-- or much worse. Once the hacker is able to execute scripts, the vulnerable database is like putty in their hands. The hacker never has to know the database login or connection string because he is using the URL querystring which already has an open connection.
Warning: Test this on your own website only if you really want to erase a table in your database. Simply, enter the following text after the end of your URL querystring and press enter. Be sure to use the real name of one of your tables (preferably a test table!) in place of myTablename.
http://www.mywebsite.com/bookreports.asp?reportID=21'; drop table myTablename--
Your table is permanently deleted.
- Manipulate the form input.
The other most common point of entry besides the URL querystring is the form input. A hacker may manipulate any textbox within an HTML form. A search box or a login form with username and password fields are all prime targets. The hacker can enter bogus characters into the textbox and submit the form. The input is then interpreted as SQL rather than ordinary user data and executed by the database. Again, this attack will either cause an error so he can glean private information about your database, or it may actually insert hazardous scripts and wreak havoc on the database.
Warning: Test this on your own website only if you really want to erase a table in your database. Simply, enter the following text into your textbox (say, a search box or username box) and then submit the form. Be sure to use the real name of one of your tables (preferably a test table!) in place of myTablename.
fred'; drop table myTablename--
Your table is permanently deleted.
- Block input containing malicious code.
By now, you probably have a good idea of how much damage a hacker can do and you are ready and willing to do whatever it takes to stop them. The number one way to block a hacker from manipulating the URL querstrying and textboxes is to block their input. But, how do you determine who they are, what they will input and whether or not it is safe? Unfortunately, you cannot know. So, you must assume that all user input could be potentially dangerous. A common saying in the programming world is that ALL INPUT IS EVIL. Thus, it must be treated with caution. Everything from everybody should be checked every time to ensure dangerous code does not slip in. This is accomplished by checking all input that is submitted via a querystring or form and then rejecting or removing unsafe characters before it ever reaches the database. If this sounds like a lot of trouble, you are right. But, it is the price we pay to protect our websites and databases from the wrath of hackers. It is your responsibility as the webmaster to ensure that only clean, safe input is allowed to enter your database.
- nput validation.
To check if the input entered into the URL querystring or textbox is safe, we can use input validation rules. In other words, using ASP code on a web page can validate the input collected from the querystring or form to make sure it contains only safe characters. Once the input is deemed safe, it can be stored in a new variable, inserted into the SQL string and sent to the database.
- The wash and rinse cycle.
Input validation should be a two-part process, like a wash and rinse cycle. We want to thoroughly clean all input by first checking for safe characters and second by checking for bad strings. See the resources at the end of this article for a more in depth discussion on this method
- Filter characters.
Another method that can be used in conjunction with the above two functions, but is considered to be very weak when used alone, is to sanitize the input by filtering or escaping.
A well-known threat is the single quote or apostrophe because it breaks the SQL statement. Following is an ASP example that renders the single quote harmless, by replacing it with two single quotes.
'doubleup single quotes
newSafeString = replace(searchInput, "'", "''")
Other variations for the replace function include stripping out the script tag and replacing it with a space. Or, filter out characters such as the dollar sign $ quotation mark " semi-colon ; and apostrophe ' the left and right angle brackets <> the left and right parentheses ( ) the pound sign # and the ampersand &. Or convert these characters to their HTML entities.
Remember to use a solution that best fits your website or consult a professional.
- Finally, there are a few other security measures that you can research and explore on your own. Remember a hacker can easily save a copy of your webpage, then modify the HTML and javascript, then re-upload the page. Therefore, it is best to never use javascript alone for input validation since it can easily be removed, and instead duplicate any javacript validation with ASP validation. Also, hidden input fields are a threat in the same way since they can easily be altered to include bogus code. Other tips include: Never give away any clues about your database, including making your input field names the same as the database field names. Always set a max length for inputs and truncate the excess.
- If you would like to pursue more advanced security techniques, please see the resources at the end of this article. Topics discussed include, password policies, buffer overrun, creative table and column names, table name aliases, set and check data types, .bak files, stored procedures with parameters, and log files.
No comments:
Post a Comment