This is How They will Hack Your Web Site

23 בדצמבר 2006

9 תגובות

Forget Google Hacking, introducing Live Search Hacking.

First They will Download MSN Search SDK which includes sample app that looks like this:

They will also get the MSN search ID here

Then They will add some more functionality that will enable them to:

1. Directly navigate to the matching URL

2. Directly navigate to the matching URL while injecting, say, single quote – this should generate errors and hopefully expose implementation details that will help them further attack you

3. Do bullet 2 in batch so They can start it before They go to sleep and in the morning They will have all error pages cached for offline investigation

Like this:

 How to get protected?

The whole story is here and called Security Engineering

Specifically for our case, input validation and exception handling best practices are your friends at Security Guidelines: ASP.NET 2.0

Cheers

הוסף תגובה
facebook linkedin twitter email

להגיב על jon לבטל

האימייל לא יוצג באתר. שדות החובה מסומנים *

9 תגובות

  1. Mani24 בדצמבר 2006 ב 5:44

    Dude! you are using word hack as cracking or injecting but I think the meaning of the word hack in "Google hacks" is completely different, did you ever read : How to become hacker ? http://catb.org/~esr/faqs/hacker-howto.html

    hackers build things, crackers break them.

    הגב
  2. alikl24 בדצמבר 2006 ב 9:31

    Mani, so you say you do not need to do Exception Handling properly?
    All I wanted to point here is that he who does not do proper exception handling will be descovered soon and then hacked
    Makes sense?

    הגב
  3. Jay Flowers25 בדצמבר 2006 ב 0:44

    Alikl,
    You missed Mani's point. He had nothing to say about the content. His point was in you association of it to the book Google Hacks and to the word hack in general. You should consider his point. It is a good one. Your misuse of them degrades you main point.

    הגב
  4. alikl25 בדצמבר 2006 ב 6:44

    Jay, although I am not convinced about the misuse I can accept your and Mani's point. The major point was to show immplication of not implementing proper exception handling rather teach "how to hack using Google Hacking". To me it is semantics which of less importance. Hackers, spammers, crackers, cyber criminals – call it what ever you want. I turn to developers – "folks, do proper exception handling, ….please. You build applications that manage my bank account"

    הגב
  5. Mani29 בדצמבר 2006 ב 20:43

    aliki, We got the point. I am doing Exception Handling and parameter checking in my code to prevent injection. I am a ASP.net developer. from ASP.net and sql server points of view, we just need to use sql parameters in our code, and set value of CustomErrors in web.config Off, to avoid injection.

    הגב
  6. alikl29 בדצמבר 2006 ב 21:27

    🙂 I guess you meant . It is a good start. The whole story is here http://msdn.com/SecurityEngineering

    Enjoy

    הגב
  7. jon25 בינואר 2007 ב 22:09

    Interesting stuff on Web Site Hacking. I was searching online on Google on how to penetrate different websites. Is it possible to crack open Google, and modify other links on Search Engine Listings.

    regards
    jon
    http://www.seohawk.com

    הגב
  8. alikl26 בינואר 2007 ב 0:29

    Jon, this blog is about how to defend and not how to hack. Would love to comment accordingly
    thanks
    alik
    P.S. this blog is not popular that much so i do not think it will bring your site too much traffic 😉

    הגב
  9. SEO Hawk22 במאי 2007 ב 0:40

    Is there some online website on how to secure your website network?

    http://www.seohawk.com

    הגב