SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Member
    Join Date
    Nov 2010
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help me put the frighteners on hackers to my website!

    Hi all,

    I run a site for my brother's band that recently has had a SQL injection vunerability come to light. Luckily , I patched it just in time , but I know of others who werent so lucky, and that all their hard work was wiped out in a matter of minutes by some ( being very kind here! ) mean spirited sadists.
    Not looking to do anything drastic here , but should they enter the appropriate URL string that ( would have ) lead to them attempting the SQL injection , a pop up will appear telling them that their ISP has been alerted , IP has been noted , etc etc...
    Since I suspect that the majority of people attempting this are script kiddies I'm hoping that some good may come of this , and that they may see the error of their ways. Idealistic I know...
    If anyone can even point me in the right direction as to how to code this I would be most grateful, as JS isnt my strongpoint unfortunately.

    thanks ,

    Davy

  2. #2
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,718
    Mentioned
    103 Post(s)
    Tagged
    4 Thread(s)
    Because there are a vast number of ways for exploits to occur, many of which are not capable of being captured by scripting, your best bet is to notify everyone that their ip address has been recorded.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  3. #3
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by pmw57 View Post
    ...your best bet is to notify everyone that their ip address has been recorded.
    and that you are sending someone around to re-adjust their attitudes

  4. #4
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,718
    Mentioned
    103 Post(s)
    Tagged
    4 Thread(s)
    Getting a bit more detailed about things, all client-side scripting is freely available to be seen by your visitors.

    If you have clever scripting that's watching things like form values for potential exploits, it's possible that even though you'll catch some genuine attacks, there will also be the possibility of triggering on false positives. That gives unaware people the knowledge that you are actively checking, and some of those people will think to look at your script, which they have full access to, and will see your code that checks for all of the exploits that you know about. That then helps your visitor to know about exploits that they may not have previously known about.

    tl;dr: Do not provide public access to what you want to keep private.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  5. #5
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    a wise person once told me

    Prevention is better than to cure
    bottom line: make sure all user inputs are validated and sanitised on the server before processing in any way and make sure your file and directory permissions on your server will keep out prying eyes

    I also put a default index.htm in each subdirectory below the site's root directory.

  6. #6
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,718
    Mentioned
    103 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Kalon View Post
    bottom line: make sure all user inputs are validated and sanitised on the server before processing in any way
    Getting off javascript but still on topic, here's how when using PHP.
    Handling Input and Output
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  7. #7
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,151
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    I'm not saying I have done it, but I think attempting to exploit a site is a great way to determine its level of security. For example, if one is able to exploit a site with something as simple as SQL injection, than who knows what other security holes exist. I don't want those types of sites storing my personal information, especially any credit card info. In my opinion the fault always lies with the person who built the software, not the person who attempted or succeeded with an exploit. Especially for something that is so simple to prevent – SQL injection. Other things that less preventable, perhaps, but SQL injection is a cake walk.

  8. #8
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by oddz View Post
    In my opinion the fault always lies with the person who built the software, not the person who attempted or succeeded with an exploit. Especially for something that is so simple to prevent SQL injection. Other things that less preventable, perhaps, but SQL injection is a cake walk.
    Imho both are at fault.

    something else a wise person once told me.

    Two wrongs don't make a right

  9. #9
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,151
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    Bad software, is normally cheap software so its good to see people get what they paid for. Next time around they may just think twice. I don't even believe SQL injection is directly punishable by law. Its seems like there would have to be some of theft involved. Removing data isn't really theft. Than again who knows with how outdated the cyber crime laws are. Perhaps one of only cases were it is punishable by law for normal every day site is stealing financial information. However, deleting it isn't really stealing it imo.

  10. #10
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,718
    Mentioned
    103 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Kalon View Post
    Imho both are at fault.
    Sometimes a first attack cannot be prevented. There is no crime in ignorance, but continued ignorance is to be avoided.

    Learning from an attack to help prevent similar ones from occurring is to be commended. That's what I see from the original poster.

    This is why I feel that it's beneficial for us to direct his efforts so that they will protect him in ways that will prove to be most fruitful.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  11. #11
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by oddz View Post
    However, deleting it isn't really stealing it imo.
    yep agree , deleting is not actually stealing but where I live there are laws against deliberate and malicious damage to other peoples' property.

    I think of it this way.

    If I leave my house unattended with the front door open and someone comes in and trashes the place then, although I haven't done anything illegal (luckily you can't legislate against stupidy ) I am still at fault for my lapse in security and the person who trashed my place has committed a criminal offence even if he didn't steal anything.

  12. #12
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by pmw57 View Post
    Sometimes a first attack cannot be prevented. There is no crime in ignorance, but continued ignorance is to be avoided.

    Learning from an attack to help prevent similar ones from occurring is to be commended. That's what I see from the original poster.
    .
    yep totally agree but whether through no fault of their own or not, the person who originally built the site is still "tecnically" at fault imo.

    but I agree that learning from that mistake and doing something about it is commendable.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •