Wrox Programmer Forums
|
BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0
This is the forum to discuss the Wrox book ASP.NET 2.0 Website Programming: Problem - Design - Solution by Marco Bellinaso; ISBN: 9780764584640
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old October 8th, 2007, 09:42 AM
Friend of Wrox
 
Join Date: Aug 2006
Posts: 131
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to kherrerab Send a message via Yahoo to kherrerab
Default Hacking TBH website.

I asks this questions not to hack one but to make our sites more secures in case of an attack.

How could this happen?
Is it possible to hack a TBH webiste?

What security risks does the tbh website has?





 
Old October 8th, 2007, 10:09 AM
Friend of Wrox
 
Join Date: Mar 2007
Posts: 488
Thanks: 2
Thanked 11 Times in 10 Posts
Default

kherrerab - this is one of my questions too. i've imagined (tho' haven't tried) that it'd be possible to 'flood' post via some automated tool. tho' this wouldn't be hacking as such, it could create a DOS (denial of service) if the action was prolinged enough. to counter this, it would be advisable to cache the sessionid in a hashtable (sessionid, lastactiontime) and whenever a post was made, lookup that sessionid and only allow the post if an elapsed time (say 10-15 seconds or whatever was appropriate) had passed, otherwise, give a message page to this effect. this would also prevent double posts at the same time.

as for other 'exploits', i look fwd to reading opinions/experiences on this, with suggestions thast would 'internally' shore up any such attacks. as present, i haven't discovered any other weak points.

jimi

http://www.originaltalent.com
 
Old October 8th, 2007, 02:18 PM
Friend of Wrox
 
Join Date: Sep 2003
Posts: 143
Thanks: 0
Thanked 1 Time in 1 Post
Default

Code-wise, I'd say TBH is pretty secure. SQL injection is not an issue. I'm not sure about XSS, as my knowledge of that sin't really great, but I'll see if the secure code dude at work can give me some info tomorrow.

I've added a Captcha, and insist that people sign up with a valid E-mail address (by sending them a confirmation link). That way, if some people decide to try and floodpost, I can easily get rid of them, and I'll probably implement something to ban IPs as well (I know some of the potential users are buttmunches with no lives).

A DOS attack can easily be identified as such by your hosting provider. DDOS might be more of a problem, but if they have some decent networking guys, they'll just tweak some settings on the routers.

The weakest link is always your (power users). Just make sure you insist they have strong passwords. Most of the hacks nowadays rely either on vurnerabilities in the platform (IIS in our case), and not specifically on the programming code. Though most hacks occur due to foolish users ;)

Peter

http://entropia-online.blogspot.com/
 
Old October 8th, 2007, 03:02 PM
Friend of Wrox
 
Join Date: Aug 2006
Posts: 131
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to kherrerab Send a message via Yahoo to kherrerab
Default

if you make the ip ban thing maybe you can share it with us.

there is a way for everything so it must be a security hole in the program. Let´s find it before someone else does.

 
Old October 10th, 2007, 11:14 AM
Friend of Wrox
 
Join Date: Mar 2007
Posts: 488
Thanks: 2
Thanked 11 Times in 10 Posts
Default

take a look at this one (if you haven't seen it already)

http://www.angrypets.com/tools/rdos/

quite a neat non-invasive tool for combating spammers

jimi

http://www.originaltalent.com
 
Old October 10th, 2007, 02:26 PM
Friend of Wrox
 
Join Date: Sep 2003
Posts: 143
Thanks: 0
Thanked 1 Time in 1 Post
Default

Well. I have the captcha in place... (Give it a go at my site if you want... If you'd be friendly enough to include the word WROX as a start of your secret question, so I'll be able to recognise you just tested, and aren't a user intending to stick around, that'd be great). The only reason I'm not sharing the code is that Jim hinted Marco will be including Captchas in the next version, and if I'd just post the code here, that'd kind of shoot Marco in the foot.

Other ways to keep things user-friendly would be generating a question that's easy for people to answer. I.e. "How much is a dozen?". "What's the last name of the giant ape called King?", or in the case of (for instance) the opera site, questions about Opera (Who composed Aida?), etc.

By the way, even IP bans won't suffice, I'm afraid. There's always anonimizers, proxies, etc. And if someone is determined enough, they will be able to cause trouble. Unfortunately every single restriction against these dingleberries you implement might potentially hurt real customers. (captchas might be hard for visually impaired people, ip-bans might affect innocent people surfing from the same network, etc).

Peter



http://entropia-online.blogspot.com/





Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacking in my website artarasan Classic ASP Professional 2 November 21st, 2008 12:46 AM
TBH and EntLib Avraham Nahir BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 2 October 25th, 2008 09:08 AM
Help! Still cannot get the TBH to run sarka BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 1 August 12th, 2007 12:21 AM
TBH erros prbspfc BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 3 February 7th, 2007 01:32 PM
Dynamic website to Static website Aboal3ood ASP.NET 1.x and 2.0 Application Design 4 December 7th, 2006 11:46 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.