DCSIMG
This is How They will Hack Your Web Site - אליק לוין

אליק לוין

עולמו של יועץ ממיקרוסופט

This is How They will Hack Your Web Site

Forget Google Hacking, introducing Live Search Hacking.

First They will Download MSN Search SDK which includes sample app that looks like this:

They will also get the MSN search ID here

Then They will add some more functionality that will enable them to:

1. Directly navigate to the matching URL

2. Directly navigate to the matching URL while injecting, say, single quote - this should generate errors and hopefully expose implementation details that will help them further attack you

3. Do bullet 2 in batch so They can start it before They go to sleep and in the morning They will have all error pages cached for offline investigation

Like this:

 How to get protected?

The whole story is here and called Security Engineering

Specifically for our case, input validation and exception handling best practices are your friends at Security Guidelines: ASP.NET 2.0

Cheers

פורסם: Dec 23 2006, 09:07 PM by alikl | with 17 comment(s) |
תגים:, , ,

תוכן התגובה

ISerializable - Roy Osherove's Blog כתב/ה:

Forget Google Hacks, Try Live Hacks :) Alik is a security guy, and he knows what he's talking about.

# December 23, 2006 11:23 PM

Mani כתב/ה:

Dude! you are using word hack as cracking or injecting but I think the meaning of the word hack in "Google hacks" is completely different, did you ever read : How to become hacker ? http://catb.org/~esr/faqs/hacker-howto.html hackers build things, crackers break them.
# December 24, 2006 5:44 AM

alikl כתב/ה:

Mani, so you say you do not need to do Exception Handling properly?

All I wanted to point here is that he who does not do proper exception handling will be descovered soon and then hacked

Makes sense?

# December 24, 2006 9:31 AM

Jay Flowers כתב/ה:

Alikl, You missed Mani's point. He had nothing to say about the content. His point was in you association of it to the book Google Hacks and to the word hack in general. You should consider his point. It is a good one. Your misuse of them degrades you main point.
# December 25, 2006 12:44 AM

alikl כתב/ה:

Jay, although I am not convinced about the misuse I can accept your and Mani's point. The major point was to show immplication of not implementing proper exception handling rather teach "how to hack using Google Hacking". To me it is semantics which of less importance. Hackers, spammers, crackers, cyber criminals - call it what ever you want. I turn to developers - "folks, do proper exception handling, ....please. You build applications that manage my bank account"

# December 25, 2006 6:44 AM

Mani כתב/ה:

aliki, We got the point. I am doing Exception Handling and parameter checking in my code to prevent injection. I am a ASP.net developer. from ASP.net and sql server points of view, we just need to use sql parameters in our code, and set value of CustomErrors in web.config Off, to avoid injection.
# December 29, 2006 8:43 PM

alikl כתב/ה:

:) I guess you meant <customErrors defaultRedirect="GenericError.htm" mode="On">. It is a good start. The whole story is here http://msdn.com/SecurityEngineering

Enjoy

# December 29, 2006 9:27 PM

alik levin's כתב/ה:

In ASP.NET we have our beloved global.asax with its Application_Error to trap all the unhandled errors

# January 2, 2007 2:33 PM

jon כתב/ה:

Interesting stuff on Web Site Hacking. I was searching online on Google on how to penetrate different websites. Is it possible to crack open Google, and modify other links on Search Engine Listings. regards jon http://www.seohawk.com
# January 25, 2007 10:09 PM

alikl כתב/ה:

Jon, this blog is about how to defend and not how to hack. Would love to comment accordingly

thanks

alik

P.S. this blog is not popular that much so i do not think it will bring your site too much traffic ;)

# January 26, 2007 12:29 AM

Practicing Software Engineering in the Field כתב/ה:

It is not hacking Google but using Google to hack others Got practical guide? - Sure: Got some tooling?

# March 6, 2007 9:35 AM

RSS It All כתב/ה:

It is not hacking Google but using Google to hack others Got practical guide? - Sure: Got some tooling

# March 6, 2007 11:19 AM

alik levin's כתב/ה:

I've used a bit dirty technique to promote Exception Handling as a security countermeasure: This is How

# April 15, 2007 10:46 PM

Be Geek My Friend כתב/ה:

Hoy en cosas interesantes: Instalar IE en Ubuntu, Mejora el rendimiento de Outlook 2007, Otro generador

# April 16, 2007 8:49 AM

SEO Hawk כתב/ה:

Is there some online website on how to secure your website network?

http://www.seohawk.com

# May 22, 2007 12:40 AM

alik levin's כתב/ה:

This session discusses common coding anti-patterns which usually lead to security vulnerabilities. Come

# September 2, 2007 10:55 PM

Noticias externas כתב/ה:

This session discusses common coding anti-patterns which usually lead to security vulnerabilities. Come

# September 2, 2007 11:16 PM