473,699 Members | 2,711 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Possible hacking of my ASP form - Need advice

Jim
Hi,

I keep getting form results emailed to me that would indicate a form
from my web site is getting submitted with all fields blank or empty,
but my code should preventing users from proceeding if they left any
field blank. My guess is that someone is trying to hack the site
using the form to gain entry or run commands -- I don't really know
since I'm not a hacker. I just know that forms are often susceptible
to these kinds of attacks.

I was hoping someone could shed some light on what may be happening
and how I may best try to prevent such things. I would think that
even if they entered various commands or whatnot into the form that I
might get some of those commands back in the results, but instead
every field comes back empty.

Any ideas?
Thanks!
Jim
Jul 19 '05 #1
11 8751
www.aspfaq.com has a bunch of good stuff on preventing SQL Injection attacks

--
----------------------------------------------------------
Curt Christianson (Software_AT_Da rkfalz.Com)
Owner/Lead Designer, DF-Software
http://www.Darkfalz.com
---------------------------------------------------------
...Offering free scripts & code snippits for everyone...
---------------------------------------------------------
"Jim" <Do************ @hotmail.com> wrote in message
news:bd******** *************** ***@posting.goo gle.com...
Hi,

I keep getting form results emailed to me that would indicate a form
from my web site is getting submitted with all fields blank or empty,
but my code should preventing users from proceeding if they left any
field blank. My guess is that someone is trying to hack the site
using the form to gain entry or run commands -- I don't really know
since I'm not a hacker. I just know that forms are often susceptible
to these kinds of attacks.

I was hoping someone could shed some light on what may be happening
and how I may best try to prevent such things. I would think that
even if they entered various commands or whatnot into the form that I
might get some of those commands back in the results, but instead
every field comes back empty.

Any ideas?
Thanks!
Jim

Jul 19 '05 #2
only accept forms submitted from your own servers IP add should reduce
possibility of external attack

"Jim" <Do************ @hotmail.com> wrote in message
news:bd******** *************** ***@posting.goo gle.com...
Hi,

I keep getting form results emailed to me that would indicate a form
from my web site is getting submitted with all fields blank or empty,
but my code should preventing users from proceeding if they left any
field blank. My guess is that someone is trying to hack the site
using the form to gain entry or run commands -- I don't really know
since I'm not a hacker. I just know that forms are often susceptible
to these kinds of attacks.

I was hoping someone could shed some light on what may be happening
and how I may best try to prevent such things. I would think that
even if they entered various commands or whatnot into the form that I
might get some of those commands back in the results, but instead
every field comes back empty.

Any ideas?
Thanks!
Jim

Jul 19 '05 #3
Jim
>>From: jason (ja***@catamara nco.com)
Just be sure you are not using session variables as if they expire. the usermay be entering empty values into your database or form.
Thanks for the tip, but I'm not using session variables.
From: Curt_C [MVP] (software_AT_da rkfalz.com)
www.aspfaq.com has a bunch of good stuff on preventing SQL Injection attacks

Sorry, I should have mentioned, I am not using a database. This is
just a very simple html form with a script to email me the results
with CDONTS.
From: Tim Williams (saxifrax@pacbe ll*dot*net)
How are you preventing the user from submitting empty fields?
Tim.
Good question. It's just a simple validation script that checks to
see if any field was left empty and if so, rebuilds the form with an
error message requesting that the field(s) be filled out. I can't
seem to break it when testing, but then again I don't think like a
hacker, and I guess that's part of the problem <g>.
From: only me (on*****@hotmai l.com)
only accept forms submitted from your own servers IP add should reducepossibility of external attack

The only way I know to do this with a dynamic IP is to check the
Referer variable, but since my host disables this variable for some
unknown reason, I can't do that. Is there another way?

I appreciate all the tips and suggestions so far. What else should I
look for?

Thanks again.
Jim

"Jim" <Do************ @hotmail.com> wrote in message
news:bd******** *************** ***@posting.goo gle.com...
Hi,

I keep getting form results emailed to me that would indicate a form
from my web site is getting submitted with all fields blank or empty,
but my code should preventing users from proceeding if they left any
field blank. My guess is that someone is trying to hack the site
using the form to gain entry or run commands -- I don't really know
since I'm not a hacker. I just know that forms are often susceptible
to these kinds of attacks.

I was hoping someone could shed some light on what may be happening
and how I may best try to prevent such things. I would think that
even if they entered various commands or whatnot into the form that I
might get some of those commands back in the results, but instead
every field comes back empty.

Any ideas?
Thanks!
Jim

Jul 19 '05 #4
On 2 Sep 2003 08:44:26 -0700, Do************@ hotmail.com (Jim) wrote:
How are you preventing the user from submitting empty fields?
Good question. It's just a simple validation script that checks to
see if any field was left empty and if so, rebuilds the form with an
error message requesting that the field(s) be filled out. I can't
seem to break it when testing, but then again I don't think like a
hacker, and I guess that's part of the problem <g>.


Server side or client side? If this is client side, as in a
JavaScript validation, it's quite simple for a hacker to read the code
and bypass it. Make sure you *also* validate on the server side. In
your case, a simple check to see if the field contains A-Z and 0-9
might be enough. On a failure, simply reload the original page,
perhaps with a message to fill in all fields with A-Z or 0-9.

Jeff
Jul 19 '05 #5
Jim
The form is validated on the server side with an ASP/vbscript page
that recreates the original form with an error message if needed.

Numeric, email and date fields are all validated specifically, but
gereric text fields were not. I guess I'll add a check to my
validation script to check for characters like the following
!^*()_+='`~\|]}[{;:/?.<>&%.

Do I need to worry about dashes, underscores, commas, & periods?
Those I'd like to allow.

Also, some international addresses (something the form may collect)
contain forwardslashes or backslashes. I can imagine they could prove
troublesome, but how do I deal with this? I'd like to allow those if
it's safe to do so.

Something else that came to mind is the form conatins hidden fields
whose values are also getting returned empty. How could this be since
the user never sees or gets to change them?

Lastly, could I be barking up the wrong tree thinking this is a form
hack? Since the form uses CDONTS to email me the results, and CDONTS
doesn't validate users, could a spammer have found a way to send out
spam through this page/form and the blank results I get are just a
by-product? Just a guess.

Thanks,
Jim

jc************* @naplesgov.com (Jeff Cochran) wrote in message news:<3f******* ********@msnews .microsoft.com> ...
On 2 Sep 2003 08:44:26 -0700, Do************@ hotmail.com (Jim) wrote:
How are you preventing the user from submitting empty fields?

Good question. It's just a simple validation script that checks to
see if any field was left empty and if so, rebuilds the form with an
error message requesting that the field(s) be filled out. I can't
seem to break it when testing, but then again I don't think like a
hacker, and I guess that's part of the problem <g>.


Server side or client side? If this is client side, as in a
JavaScript validation, it's quite simple for a hacker to read the code
and bypass it. Make sure you *also* validate on the server side. In
your case, a simple check to see if the field contains A-Z and 0-9
might be enough. On a failure, simply reload the original page,
perhaps with a message to fill in all fields with A-Z or 0-9.

Jeff

Jul 19 '05 #6
Jim
Is there a list of characters that should ALWAYS be avoided in
forms/text boxes for security reasons? I can see right away how
quotation marks, semicolons, greater than & less than brackets and
backslashes could be problematic. What are some others to be wary of?

How do I handle the fact that in a few cases I will need to accept
backslashes, Apostrophes, Number/Pound symbol, and possibly a select
few other non-alphanumeric characters?

Will htmlencoding help prevent hacking, or will it be too late since
the validation is server side and code could get run before validation
is complete?

Thanks,
Jim

P.S. My form is validated on the server side with an ASP/vbscript page
that recreates the original form with an error message if needed. I
am not using any database. I am just gathering the form text and
having the results sent to my email.

Do************@ hotmail.com (Jim) wrote in message news:<bd******* *************** ****@posting.go ogle.com>...
The form is validated on the server side with an ASP/vbscript page
that recreates the original form with an error message if needed.

Numeric, email and date fields are all validated specifically, but
gereric text fields were not. I guess I'll add a check to my
validation script to check for characters like the following
!^*()_+='`~\|]}[{;:/?.<>&%.

Do I need to worry about dashes, underscores, commas, & periods?
Those I'd like to allow.

Also, some international addresses (something the form may collect)
contain forwardslashes or backslashes. I can imagine they could prove
troublesome, but how do I deal with this? I'd like to allow those if
it's safe to do so.

Something else that came to mind is the form conatins hidden fields
whose values are also getting returned empty. How could this be since
the user never sees or gets to change them?

Lastly, could I be barking up the wrong tree thinking this is a form
hack? Since the form uses CDONTS to email me the results, and CDONTS
doesn't validate users, could a spammer have found a way to send out
spam through this page/form and the blank results I get are just a
by-product? Just a guess.

Thanks,
Jim

jc************* @naplesgov.com (Jeff Cochran) wrote in message news:<3f******* ********@msnews .microsoft.com> ...
On 2 Sep 2003 08:44:26 -0700, Do************@ hotmail.com (Jim) wrote:
>>How are you preventing the user from submitting empty fields?Good question. It's just a simple validation script that checks to
see if any field was left empty and if so, rebuilds the form with an
error message requesting that the field(s) be filled out. I can't
seem to break it when testing, but then again I don't think like a
hacker, and I guess that's part of the problem <g>.


Server side or client side? If this is client side, as in a
JavaScript validation, it's quite simple for a hacker to read the code
and bypass it. Make sure you *also* validate on the server side. In
your case, a simple check to see if the field contains A-Z and 0-9
might be enough. On a failure, simply reload the original page,
perhaps with a message to fill in all fields with A-Z or 0-9.

Jeff

Jul 19 '05 #7
"Jim" wrote:

Is there a list of characters that should ALWAYS be
avoided in forms/text boxes for security reasons?
It's a short list: {}
I can see right away how quotation marks, semicolons,
greater than & less than brackets and backslashes could
be problematic.
In what context?

If you are storing data in a DB, you can avoid all *security* issues by
explicitly calling stored procedures through an ADODB.Command object.

If you are spitting the values back onto a page, you can use
Server.HTMLEnco de().

I can't think of a situation that demands avoidance of *any* character.
What are some others to be wary of?

How do I handle the fact that in a few cases I will need to
accept backslashes, Apostrophes, Number/Pound symbol, and
possibly a select few other non-alphanumeric characters?
You have to assume that *ANYTHING* can be submitted to the ASP script. Once
you accept that, it's easy to manage the data. Want to exclude specific
characters? Replace them (or test for them). Examples (I use JScript, but
the VBScript versions are similar):

Test for non-integer characters:
if (/\D/.test(myVal)) return "Integers only, please."

Ignore non-integer characters:
CMD.Parameters( "Phone") = myVal.replace(/\D/g,"")

Strip away any HTML tags before displaying:
<%=myVal.replac e(/<[\s\S]*?>/g,"")%>

Keep the HTML tags, but disable rendering them as such:
<%=Server.HTMLE ncode(myVal)%>

The possibilities are endless.
Will htmlencoding help prevent hacking, or will it be too
late since the validation is server side and code could
get run before validation is complete?
Why would you run code before completing validation? That's a design issue.
P.S. My form is validated on the server side with an
ASP/vbscript page that recreates the original form with
an error message if needed. I am not using any database.
I am just gathering the form text and having the results
sent to my email.


In that case, it's safe to use this type of construction...

<INPUT TYPE="text" NAME="LastName" VALUE=
"<%=Server.HTML Encode(Request. Form("LastName" ).Item)%>">

....adjusting for the different form element types, of course.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 19 '05 #8
Jim
"Dave Anderson" <GT**********@s pammotel.com> wrote in message news:<en******* *******@TK2MSFT NGP11.phx.gbl>. ..
You have to assume that *ANYTHING* can be submitted to the ASP script. Once
you accept that, it's easy to manage the data.


I accepted that a long time ago. The problem is I can't imagine all
the wild possibilities that some hacker with too much time can come up
with.
Will htmlencoding help prevent hacking, or will it be too
late since the validation is server side and code could
get run before validation is complete?


Why would you run code before completing validation? That's a design issue.


It's not that I am running code before validation, it's concern for
code a hacker may have input into a form field that will get executed
before my form gets validated. (if that's even possible - I don't
know)

Again, since no database is involved, I think the chances are greatly
reduced, but I have no idea what could still happen. It's my
ignorance that is fueling this fire.

What could a hacker enter into a form to compromise my security? I've
tried entering vbscript code lines into my form fields and at best all
I can do is break the form and get an ASP error. Usually a
syntax/string error.

I know I can htmlencode fields before sending back to the screen, but
what happens to malicious code inserted into a form when it's just
stored in the form collection before ever being output to the screen?
Anything?

Can a hacker use a form I've created to somehow view the asp source
for my pages, or gain access to the server itself (which is hosted and
not my responsibility, but nevertheless a concern)? Keeping in mind,
that there is no database backend.

Jim
Jul 19 '05 #9
"Jim" wrote:
You have to assume that *ANYTHING* can be submitted to the ASP
script. Once you accept that, it's easy to manage the data.
I accepted that a long time ago...


I'm not sure you have, unless I misunderstand the following:
It's not that I am running code before validation, it's concern
for code a hacker may have input into a form field that will get
executed before my form gets validated. (if that's even possible
- I don't know)
I can't tell if you are talking about client-side or server-side validation.
If client, you can assume you have no validation. If server, then consider
the following:

Each named form element passes a name-value pair (select-multiples send as
many pairs as elements selected) as part of the request. These are parsed
and put into the .Form or .QueryString collection of the Request object.

Each element in the collection has .Key, .Item and .Count properties. .Count
is an integer, while the other two are strictly strings. .Item is the
default property, so if you are using VBScript, references to
Request.Form(ke y) will actually point to Request.Form(ke y).Item.

These values are ordinary strings. They cannot execute anything in your
script unless you use the Execute Statment (VBScript) or the eval Method
(JScript).

http://msdn.microsoft.com/library/en...stmexecute.asp
http://msdn.microsoft.com/library/en...6jsmtheval.asp

Most of us don't use either, for good reason. Strangely enough, some of the
same people who would never do so seem to think it's OK to execute SQL
strings constructed with user input. But that's another topic.
What could a hacker enter into a form to compromise my security?
That's a bit like asking what he could type on paper that would cause a
security breach in your computer. Unless you use Execute/eval() (or re-type
his words into your computer), you're not at risk.

There's always a slim chance that he could craft a request that exploits
some existing vulnerability, but then it would be an IIS problem, and your
script would be no more vulnerable than any other.
I've tried entering vbscript code lines into my form fields and
at best all I can do is break the form and get an ASP error.
How are you even able to get an ASP error in that manner? Are you talking
about something other than a type mismatch? Perhaps you could show some
code.
I know I can htmlencode fields before sending back to the screen,
but what happens to malicious code inserted into a form when it's
just stored in the form collection before ever being output to the
screen? Anything?
What happens when a malicious letter just sits in an unopened envelope?
Anything? No - it's just text.
Can a hacker use a form I've created to somehow view the asp
source for my pages, or gain access to the server itself (which
is hosted and not my responsibility, but nevertheless a concern)?


Curiously enough, maybe.

Suppose, for example, you expect one of the values to be numeric, but you
don't bother verifying it. If that value contains a non-numeric string and
you try an operation that requires a number, you could get a run-time ASP
error.

Suppose further that the error occurs in an include file, which you have
conveniently named "myInclude. inc" without bothering to assign asp.dll as an
ISAPI extension for .inc files, and your server is configured to use the
default 500;100 error page.

Lucky you! Your error triggers an error that reads something like this:

Type mismatch error
myInclude.inc
Line 32, character 10

The hacker types the following into his browser...
http://yoursite.com/path/myInclude.inc
....and gets to read your entire include.
Scary? Only if you (a) don't validate your incoming data before using it,
(b) use includes with extensions that are not parsed by asp.dll**, (c) use
no exception handling, and (d) give away the farm on your 500;100 error
page.

**I just avoid the whole mess by using .asp for everything. This caused no
end of confusion for a vendor I was working with once, so I now use
something along the lines of myInclude.js.in c.asp or myInclude.vbs.i nc.asp

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 19 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
2202
by: mos | last post by:
I want to put a MySQL 4.1 database on a Win2k laptop but the problem is it contains confidential client information. It has to be Window because applications accessing the database are written in Windows. The problem is laptops do get stolen quite often, even when running on someone's unattended desk. Most security chains can be cut with a small pair of bolt cutters. I have to convince my boss that if the laptop disappears it won't put...
0
1687
by: ChangAya | last post by:
I use binary log on mysql system. Yesterday i found some hacking attempt on my machine. ( I found some unknown queries on binary log) But i don't get any information about hacking query connection on binary log file.. ( username, host.. i don't know anything ) only thing that i know is "thread_id".
7
1224
by: mosscliffe | last post by:
Is it possible to get at the TextField Contents of a SelectedValue in a DropDownList in ASP ? Thank You
0
3779
by: masterjuan | last post by:
Networks Hacking (hack C:/ drives, severs...)and security holes all on my website & hacking commands and I explain ways of erasing your tracks so you dont get caught doing "bad" things... What do you think? check out my website its about hacking networks and step by step guides of how to do it all. Any suggestions on information or anything you think would be interesting to write about please tell me. Also what do you think of the...
1
2006
by: =?Utf-8?B?VmVuZWRpY3Q=?= | last post by:
Hi All, I have few encrypted bitmap file. The original source program for encrypting those bitmap is no longer exists. FYI, the original program to encrypt those images is writing in DOS. Now I need to decrypt those image file in C#. Is there anyway that I can do to decrypt those images? Any advice is much appreciated.
6
12885
by: enes naci | last post by:
i would like to know about hacking in python too whether its illegal or not is not the point and anyway it doesn't mean i'm gong to use it.
8
2481
by: diana.ruwanika | last post by:
hey how do you hack in to computers ?
11
7631
by: =?Utf-8?B?UmF5IE1pdGNoZWxs?= | last post by:
Hello, I know I sound like a one-note Johnny on this but I'm still looking for a solution. I need to display characters coming in from a serial port or a socket. I also need to be able to type characters into the display myself - but that's not the main issue at this time. I've tried a scrolling multiline text box but once the original viewable area fills up and it starts scrolling the flashing of the entire area drives me nuts. The...
2
1522
by: EManning | last post by:
I posted a question on 5/5/08 asking how to trap an error caused by multiple users trying to access the same patient. Here's what I posted: "Using A2003. I've got an FE with a main form with a subform. The subform is a mixture of bound and unbound fields. The main form is unbound and all it has on it is a combobox to choose a patient's name. Once the patient is chosen, the subform refreshes to show that patient's data. The problem...
0
8704
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9187
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
8936
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8894
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7777
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6544
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5879
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4390
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
2361
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.