How do I know if my site is secure?

D

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
173
Reaction score
1
Location
Cresta, Johannesburg
A few months ago I asked some volunteers in this forum to "hack" my web site. The results were most encouraging, and I fixed numerous bugs. :erm:

So my question ow is this: how do I know if my site is secure? Are there companies in SA (or elsewhere) who can audit the security? Is there a list of known issues with IIS7 or ASP.NET or SQL Server that I can test for? Since this is a Microsoft server there have to be bugs, right? ;)

FWIW, the site is now called http://www.mustang.co.za and I would be most grateful for any feedback on any security holes you might find. It's a shared server, so please don't do anything that would crash the server. But if there is anything you can do with HTTP calls or similar workarounds to display code or edit the data without permission, I would be most grateful for the feedback.

Thanks in advance for any advice or feedback.
Donn
 
'OR'1''1 has logged in with no editing rights.
Use the "Northwind Data" menu to view the data.


Urmmmm... Ok....

- Edit -

Username: <u>test</u>
Password: 'OR'1'='1

Error:

Oops! The server encountered an error.
We apologise for the frustration caused.
Stand by while we start over


On a side note, the easiest way to test your website is to ask people to test it :)
 
Last edited:
mybroadbanduser has logged in with no editing rights.
Use the "Northwind Data" menu to view the data.

Seems we can log in as whatever we want, with the "appropriate" password :p


- Edit -

theadmin has logged in with no editing rights.
Use the "Northwind Data" menu to view the data.


Proper usernames (admin) need passwords though :<
 
Of course the quickest way to find the bugs is to announce you've already found them.

I'm curious why typing "<u>test<u>" into a text field would cause the callback to crash, but it's happening before I strip out the "<" and ">" so I can live with it.
 
donn_edwards said:
Of course the quickest way to find the bugs is to announce you've already found them.

I'm curious why typing "<u>test<u>" into a text field would cause the callback to crash, but it's happening before I strip out the "<" and ">" so I can live with it.
Click to expand...

ASP.NET recognizes the <> as unsafe and "crashes" the request.
 
Reelix said:
Rephrase - My favourite crash that most often crashes ASP.NET related sites, normally showing framework information.
Click to expand...

OK, thanks.

I finally managed to figure out how to hide the framework info, but can it really be used to hack a site? I've looked at the info and found precious little of any use there. I guess more information means more chance of access, but security through obscurity doesn't amount to much either.

Security is weird. see also
http://www.wilderssecurity.com/showthread.php?p=1538942
for other tips I have been given.

http://www.mustang.co.za/.aspx
Click to expand...
You will also be pleased to know that in deference to this particular test I have created a special redirect file that goes directly to the login page. It's my way of acknowleding the help this forum has provided me.
http://mybroadband.co.za/vb/showthread.php?t=183595
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X