Help protect my website

Hi,

I am using ASP to design my website so what should I do to protect my website from hackers? Could you give me some advice on this issue?

Thanks,
Azvina

 

Well, first of all protect against SQL Injection (protect all your fields before SQL Insertion) like Remove Tick's and bad chars, depends on the db.

Also, protect against email form hijackers - they use your email or contact forms to send their own emails. to protect against this, prior to sending the email, check for any text that are email headers like "multi-type" or to:, from: etc...

 

When you're done making sure that all the potential database input has been "sanitized" before you actually store it in your database, take a moment to safeguard against "form spoofers" and cross-site-scripting (HTML and JavaScript, for example).

To watch out for "form spoofers" I would use TamperData (a free and very easy-to-use extension for Firefox). Turning TamperData on when you're on your web site allows you to see what information gets posted by forms. You could then intercept and manipulate the data (just like anyone else out there can) and potentially damage your database (unless you use something like Stored Procedures).

And then there is cross-site-scripting. Again, as mentioned previously by ccoonen, if you clean the end-user input for SQL Injection, you might as well take an additional step and watch out for embedded JavaScript. Some people could ultimately mess up your web site. If that is news to you, check out some very good basic information at: en.wikipedia.org/wiki/Cross_site_scripting

Was there anything specific you wanted to protect on your web site? Or were you just interested in some general information?

For what it's worth!

 

Thanks all for your helpful and worth information. I wanted to protect my database and all information but the most important thing that I want to protect is I heard some hackers can destroy and make your website down. How can they do that and how to prevent my website from being destroyed?

I am using Access, not SQL so I do not know SQL injection. What should I do with Access?

I am using IE so I think that I cannot use TamperData to watch out for "Form spoofers", what software should I use and have you ever experienced that?

Thanks for your kind help!
Azvina

 

generally they will attack your site via DDOS (sending large ping packets from a massive amount of computers) - eventually, your server will either die or open up for attackers... how to prevent?... I wish I knew

 

So can my server recover when they stop sending them? How about my database and other information?
I wish you could know how to prevent.

Thanks,
Azvina

 

>>I am using Access, not SQL so I do not know
>>SQL injection. What should I do with Access?

Check out this page for helpful information on SQL Injection for MS Access:
seclists.org/pen-test/2003/May/0074.html



>>I am using IE so I think that I cannot use
>>TamperData to watch out for "Form spoofers",
>>what software should I use and have you ever
>>experienced that?

Well, why don't you download Firefox? It's free. By the way, you want to have at least two different browsers anyway (more would be better) to test your web site.

If you're absolutely set on using IE only (IE6 or IE7?), there is a similar tools available, called Fiddler: fiddlertool.com/fiddler/


>>So can my server recover when they stop sending them?

As far as receiving denial of service (DOS) attacks, yes, once the malicious hacker stops sending them (and once the queue has been cleared), you should be good to go again.

There are some web hosting firms that can help you defend against DOS, but you will have to check around and see which ones do and whether or not the rest of their services (and their price) works for you.


Finally, I just want to mention that it's really not so bad out there. Sure, if you have important information (such as credit card numbers or social security numbers), all kinds of people will try to hack into your web site. However, if you don't have information that's worth stealing, then the risk of getting hacked — just for the sake of hacking — is much, much lower.


Best of luck with everything!

 

Thank you so much for your wonderful advice.
Could you tell me what do I do with all codes from seclists.org/pen-test/2003/May/0074.html ? I do not know what I have to do with them.

I have just downloaded Fiddler and I will try it soon. I will also download Firefox to check my website.

About my website, there is no credit card information, no social security number as it is about travel information, but I still worry because if someone makes it down, it will not be good for me and for users so i should be careful.

Also, I am using web hosting from Goddady so do you think that they can help me defend against DOS?

Once again, thank you so much for your kind help.

Have a nice weekend!
Azvina

 

>>Could you tell me what do I do with all codes from
>>seclists.org/pen-test/2003/May/0074.html ? I do
>>not know what I have to do with them.

1. Those examples are basically there to help you test your web application (or web site) and to see whether inserting any of those commands would a) succeed and b) cause damage to your web server.

2. If you don't know what those commands mean, or what they will do, please do not use them. Hire a security tester or Google around for "MS Access injection example OR tutorial" until you know what to do.

You'll probably get a lot more accomplished a lot quicker if you pick up the phone and call your web hosting provider. They can answer all kinds of questions about security and will be able to tell you what you need to know.

Best of luck with everything.

 

anywhere that you use textbox input from users in a sql statement, be sure to validate the input for sql injection attacks.

TextBox1.Text.Replace("'", "''")

Doing this will at least not allow users to close your sql statement and drop your tables! lots of good articles on the net for preventing sql injection and xss attacks. pretty simple actually, i'm used to coding it in right away and not waiting until later and adding it.