How do I know if my site is secure?

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
A few months ago I asked some volunteers in this forum to "hack" my web site. The results were most encouraging, and I fixed numerous bugs. :erm:

So my question ow is this: how do I know if my site is secure? Are there companies in SA (or elsewhere) who can audit the security? Is there a list of known issues with IIS7 or ASP.NET or SQL Server that I can test for? Since this is a Microsoft server there have to be bugs, right? ;)

FWIW, the site is now called http://www.mustang.co.za and I would be most grateful for any feedback on any security holes you might find. It's a shared server, so please don't do anything that would crash the server. But if there is anything you can do with HTTP calls or similar workarounds to display code or edit the data without permission, I would be most grateful for the feedback.

Thanks in advance for any advice or feedback.
Donn
 

Reelix

Senior Member
Joined
Jun 24, 2008
Messages
594
'OR'1''1 has logged in with no editing rights.
Use the "Northwind Data" menu to view the data.


Urmmmm... Ok....

- Edit -

Username: <u>test</u>
Password: 'OR'1'='1

Error:

Oops! The server encountered an error.
We apologise for the frustration caused.
Stand by while we start over


On a side note, the easiest way to test your website is to ask people to test it :)
 
Last edited:

Reelix

Senior Member
Joined
Jun 24, 2008
Messages
594
mybroadbanduser has logged in with no editing rights.
Use the "Northwind Data" menu to view the data.

Seems we can log in as whatever we want, with the "appropriate" password :p


- Edit -

theadmin has logged in with no editing rights.
Use the "Northwind Data" menu to view the data.


Proper usernames (admin) need passwords though :<
 

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
Of course the quickest way to find the bugs is to announce you've already found them.

I'm curious why typing "<u>test<u>" into a text field would cause the callback to crash, but it's happening before I strip out the "<" and ">" so I can live with it.
 

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
Of course the quickest way to find the bugs is to announce you've already found them.

I'm curious why typing "<u>test<u>" into a text field would cause the callback to crash, but it's happening before I strip out the "<" and ">" so I can live with it.

ASP.NET recognizes the <> as unsafe and "crashes" the request.
 

Reelix

Senior Member
Joined
Jun 24, 2008
Messages
594
Rephrase - My favourite crash that most often crashes ASP.NET related sites, normally showing framework information.
 

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
Rephrase - My favourite crash that most often crashes ASP.NET related sites, normally showing framework information.

OK, thanks.

I finally managed to figure out how to hide the framework info, but can it really be used to hack a site? I've looked at the info and found precious little of any use there. I guess more information means more chance of access, but security through obscurity doesn't amount to much either.

Security is weird. see also
http://www.wilderssecurity.com/showthread.php?p=1538942
for other tips I have been given.

You will also be pleased to know that in deference to this particular test I have created a special redirect file that goes directly to the login page. It's my way of acknowleding the help this forum has provided me.
http://mybroadband.co.za/vb/showthread.php?t=183595
 
Last edited:
Top