Profile

Cover photo
asp.net Tutorial
95 followers|3,548 views
AboutPostsPhotosVideos

Stream

asp.net Tutorial

Shared publicly  - 
 
Instructions 1

SQL database-driven websites are at risk.
Any web page which passes parameters to a database can be vulnerable to attacks. This includes e-commerce shopping carts or any other website that has a form for login, search, etc. Any SQL database-driven website is at risk of hackers who may be able to enter into the database through a back door. Usually these back doors are present in URL querystrings and form inputs, such as Login forms, Search forms, or other user input textboxes that can communicate with a database. 2

An overview of hacking.
Generally, a hacker can enter bogus characters into the URL querystring or a textbox. The bogus input is then interpreted as SQL rather than ordinary user data and is executed by the unsuspecting database. As a result, the website may break and display an error, allowing the hacker to glean private information about the database. Even worse, the hacker's hazardous scripts may actually be executed on the database, causing security breaches and/or permanent damage.


Sponsored LinksDownload Password ManagerNever Forget Your Passwords Again. Over 50 Million Downloads To Date!RoboForm.com/Password-Management 3

How hackers do it.
The first goal of a hacker is to repeatedly try to break a website, causing it to display a variety of valuable errors that give away private database details. In this way, he can gain insight into the structure of the database and ultimately create a map or footprint of all its tables and columns. The second goal of the hacker is to actually manipulate the database by executing scripts in malicious ways. With control over the database, the hacker may possibly steal credit card numbers, erase data or infect it with viruses, among other nasty things. In essence, the URL querystring and textbox are the two backdoors into a database. Getting errors and manipulating the backdoors are the two methods used by hackers to ultimately destroy a database. 4

Hack your own website.
Let's look at how a hacker might go about breaking into a website. Using the first technique described, he can hack the URL querystring and cause an error to be displayed. You can do a simple test to hack into your own website via the URL querystring. All you have to do is type something else directly into the address bar at the end of your querystring.Type your URL like the following example and press enter:
http://www.mywebsite.com/bookreports.asp?reportID=21Now simply add a single quote to the end the querystring and press enter:
http://www.mywebsite.com/bookreports.asp?reportID=21' 5

Generate an error.
As predicted, you may have successfully broken your website and received an error as follows.Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ' AND users.userID=reports.reportsID'.
/bookreports.asp, line 20The single quote causes an unclosed quotation mark error and now the once-secret table names and column names of your database are publicly visible. After generating a series of these kinds of valuable errors, a hacker can piece together private database details which will ultimately help him break into and wreak havoc on the database. 6

Hide website errors.
The top most effective solution for keeping the private details of your database from getting into the hands of a hacker is to setup a custom error page for your website. This way, a hacker will never see any detailed error messages. If you do nothing else, this is the number one thing that every website must have. Otherwise, you are giving the hacker an open invitation into your database and practically offering him all the information he needs to launch an attack. 7

Setup custom error pages.
Some hosting services automatically use custom error pages to help protect your security. To setup your own custom error page, you will need to consult your web host for instructions. Generally, you will create a new HTML page to look the way you please and that says something short and sweet, like 'Sorry, the page you have requested is unavailable.' Then save it as error404.htm and upload it to your server. Following the instructions from your host, you will change the website settings to point to the new error page. This will stop many hackers right in their tracks. 8

Manipulate the URL querystring.
Besides fishing for errors, a hacker can enter even more dangerous code than a simple single quote into the URL querystring. In an effort to execute malicious scripts on a database, a variety of creative coding is employed, such as %20HAVING%201=1 or maybe %20;shutdown with no wait-- or much worse. Once the hacker is able to execute scripts, the vulnerable database is like putty in their hands. The hacker never has to know the database login or connection string because he is using the URL querystring which already has an open connection.Warning: Test this on your own website only if you really want to erase a table in your database. Simply, enter the following text after the end of your URL querystring and press enter. Be sure to use the real name of one of your tables (preferably a test table!) in place of myTablename.http://www.mywebsite.com/bookreports.asp?reportID=21'; drop table myTablename--Your table is permanently deleted. 9

Manipulate the form input.
The other most common point of entry besides the URL querystring is the form input. A hacker may manipulate any textbox within an HTML form. A search box or a login form with username and password fields are all prime targets. The hacker can enter bogus characters into the textbox and submit the form. The input is then interpreted as SQL rather than ordinary user data and executed by the database. Again, this attack will either cause an error so he can glean private information about your database, or it may actually insert hazardous scripts and wreak havoc on the database.Warning: Test this on your own website only if you really want to erase a table in your database. Simply, enter the following text into your textbox (say, a search box or username box) and then submit the form. Be sure to use the real name of one of your tables (preferably a test table!) in place of myTablename.fred'; drop table myTablename--Your table is permanently deleted. 10

Block input containing malicious code.
By now, you probably have a good idea of how much damage a hacker can do and you are ready and willing to do whatever it takes to stop them. The number one way to block a hacker from manipulating the URL querstrying and textboxes is to block their input. But, how do you determine who they are, what they will input and whether or not it is safe? Unfortunately, you cannot know. So, you must assume that all user input could be potentially dangerous. A common saying in the programming world is that ALL INPUT IS EVIL. Thus, it must be treated with caution. Everything from everybody should be checked every time to ensure dangerous code does not slip in. This is accomplished by checking all input that is submitted via a querystring or form and then rejecting or removing unsafe characters before it ever reaches the database. If this sounds like a lot of trouble, you are right. But, it is the price we pay to protect our websites and databases from the wrath of hackers. It is your responsibility as the webmaster to ensure that only clean, safe input is allowed to enter your database. 11

Input validation.
To check if the input entered into the URL querystring or textbox is safe, we can use input validation rules. In other words, using ASP code on a web page can validate the input collected from the querystring or form to make sure it contains only safe characters. Once the input is deemed safe, it can be stored in a new variable, inserted into the SQL string and sent to the database. For more details about validation, see my companion article in the resources section or at http://www.ehow.com/how_4434953_block-hackers-asp-validation.html . 12

12.
The wash and rinse cycle.
Input validation should be a two-part process, like a wash and rinse cycle. We want to thoroughly clean all input by first checking for safe characters and second by checking for bad strings. See the resources at the end of this article for a more in depth discussion on this method. The code for the good character function and the bad string function can be found in my companion article in the resources section or at http://www.ehow.com/how_4434953_block-hackers-asp-validation.html . 13

Filter characters.
Another method that can be used in conjunction with the above two functions, but is considered to be very weak when used alone, is to sanitize the input by filtering or escaping.A well-known threat is the single quote or apostrophe because it breaks the SQL statement. Following is an ASP example that renders the single quote harmless, by replacing it with two single quotes.'doubleup single quotes
newSafeString = replace(searchInput, "'", "''")Other variations for the replace function include stripping out the script tag and replacing it with a space. Or, filter out characters such as the dollar sign $ quotation mark " semi-colon ; and apostrophe ' the left and right angle brackets <> the left and right parentheses ( ) the pound sign # and the ampersand &. Or convert these characters to their HTML entities.Remember to use a solution that best fits your website or consult a professional. 14

Finally, there are a few other security measures that you can research and explore on your own. Remember a hacker can easily save a copy of your webpage, then modify the HTML and javascript, then re-upload the page. Therefore, it is best to never use javascript alone for input validation since it can easily be removed, and instead duplicate any javacript validation with ASP validation. Also, hidden input fields are a threat in the same way since they can easily be altered to include bogus code. Other tips include: Never give away any clues about your database, including making your input field names the same as the database field names. Always set a max length for inputs and truncate the excess. 15

If you would like to pursue more advanced security techniques, please see the resources at the end of this article. Topics discussed include, password policies, buffer overrun, creative table and column names, table name aliases, set and check data types, .bak files, stored procedures with parameters, and log files.


Sponsored LinksBig Data Analyticshpccsystems.comEnterprise Big Data Solution Is Now Open Source. Visit us Today!Send Mail from ASP / .NETwww.aspemail.comAspEmail supports Unicode, HTML, encryption, TLS, message queuing.Want To Learn Hacking?www.ibmail.in/Info-SecurityLearn Ethical Hacking & Cyber Security From The Pros Today!The DDOS Specialistwww.riorey.comIdentify and block DDOS attacks automatically and in real time. Tips & Warnings As always, please remember that databases can be highly vulnerable to hackers. The number and frequency SQL injection attacks and XSS (cross-site scripting) attacks are on the rise. So please ensure you have setup custom error pages and use server-side input validation like ASP as a precaution to ensure database security.
Read more: How to Protect Your Website from Hacker Attacks | eHow.com http://www.ehow.com/how_4434719_protect-website-hacker-attacks.html#ixzz1vmbjQaWH
1
1
حسن دشتي's profile photo
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
 
Yikes. Venice is still sinking (if slowly.)
1
Add a comment...

asp.net Tutorial

Shared publicly  - 
1
Sumit Khera's profile photo
 
sir, i want a lecture session with timeout property through webconfig file in asp.net. i mean i want to automattically signout my page
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
 
Google is trying to win over some new developers with the new +Google+ Developers page.
1
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
 
What says "I love you" more than a networking/storage device? +Dong Ngo has 5 gift ideas for that special someone.
1
Add a comment...
Have them in circles
95 people
sharath kumar bolloju's profile photo

asp.net Tutorial

Shared publicly  - 
 
 
Need to format an external drive that's compatible with both Windows and Mac? Here are your options.
1
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
 
Nomophobia (n): The fear of being without cell phone contact. Do you have it?
1
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
 
——————————————————————————————

HUD Google Glasses are Real and They are Coming Soon

They are in late prototype stages of wearable glasses that look similar to thick-rimmed glasses that “normal people” wear. However, these provide a display with a heads up computer interface. There are a few buttons on the arms of the glasses. It have a transparent LCD or AMOLED display. According to source, it communicates directly with the Cloud over IP. The “GG” could use a phone’s Internet connection, Wi-Fi or a Bluetooth 4.0. A user can walk around with information popping up and into display "Terminator-style" based on preferences, location ( GPS ) and Google’s information. GG looks something like Oakley Thumps( below)

www.9to5google.comgoo.gl/CZhTY
Terminator view

——————————————————————————————
1
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
 
Learn the Basics of ASP.NET here
1
Add a comment...

asp.net Tutorial

Shared publicly  - 
 
Dynamically Changing MasterPage

Changing MasterPage DynamicallyIn real-time we may come across scenario where depending on the particular group of users we need to show different layout, colors, themes, functionalities and so on. To achieve this there are various ways, maintain the settings for each user in table , maintain the cookies and so on. In .net the best way to achieve this is to change master page dynamically where the master pages will have different layout , different look and feel for different users. This we can achieve by following below mentioned steps.1. All the WebPages will be inherited form System.UI.Web.Page base class2. In page directive we have a property to set masterpage file3. Once we attach any master page to any child, first all the controls of the master page are instantiated, then child page controls are instantiated4. If we want to apply master page in code behind file ,the page’s master page property needs to be applied in Onpreinit method only.5. After instantiating controls, child page load will be called first, then the master page will be loaded.To change master page dynamically we need to follow the below mentioned process/method1. Create one separate class file as public, which will inherits System.UI.Web.Page base class2. Override the Page base class method onPreinit(), in this method set the master page property of the page, give the name of the master page file which you want to apply3. At the end of the onPreinit() method call the base class onpreinit method4. Inherit the newly created class in all of your web pages.5. To provide the custom master page, we may use cookies, sessions or the values stored from database, it depends on how we want to manage the customization.
Illustration
1
Add a comment...
People
Have them in circles
95 people
sharath kumar bolloju's profile photo