An Easy Test For Web Site Security
By: David Strom
After my modern column on issues with SBC’s Web hosting (“SBC Web Hosting Flunks Security Fundamentals,”), I asked Caleb Sima from SPI Dynamics, a Internet software and safety evaluation software package firm, to give me some insights about breaking into Web web sites. Caleb has a quite awesome task: he will get compensated to do this, in the approach demonstrating the need for instruments this sort of as his employer sells as nicely as the different weaknesses of people’s sites. When he visited me at CMP very last fall, he was within our personal Web web site and looking at stuff that he shouldn’t have had access to inside of a minute or so. Luckily, our World wide web folks have tightened points up, but you might not be so lucky.
I asked Caleb to give me an thought of how he manages to discover these vulnerabilities so swiftly, and he arrived up with a couple of recommendations. If you recognize how Internet servers function and how they have directory structures and input types just like your computer on your desktop, you can get pretty far — even without much other specialized information. To give you a flavor of this, I submit his prescription for locating a Net application assault vulnerability referred to as cross-internet site scripting.
Cross-website scripting takes place when dynamically generated Internet pages display input that is not properly validated. This allows an attacker to embed malicious JavaScript code into the produced page and execute the script on the machine of any person that views that internet site. Cross-internet site scripting has some far-reaching implications, and can effect any web site that allows users to enter data. You see this on research engines, in error message screens, in varieties and World wide web message boards, between other areas. You can go through a lot more about this here at SPI Dynamics’ website.
Here are the actions to see if your Net programs are susceptible to this assault:
Phase one. Open any Net site in a browser, and search for areas on the web site that accept consumer input this kind of as a lookup sort or some sort of login page. Enter the term “test” in the research box and deliver this to the Net server.
var AdBrite_Title_Shade = ’0000FF’var AdBrite_Text_Color = ’000000′var AdBrite_Background_Color = ‘FFFFFF’var AdBrite_Border_Colour = ‘CCCCCC’var AdBrite_URL_Shade = ’008000′tryvar AdBrite_Iframe=window.top rated!=window.self?two:1document.referrer==”””” type=”text/javascript”>>Stage 2. Search for the World wide web server to respond back again with a page comparable to a thing like “Your lookup for ‘test’ did not discover any objects” or “Invalid login check.” If the word ‘test’ appears in the benefits web page, you are in luck.
Stage three. To test for cross-website scripting, input the string “‹script›alert(‘hello’)‹/script›” without the quotes in the same search or login box you utilised before and deliver this to your Net server.
Action 4. If the server responds back with a popup box that says “hi there”, then the Net internet site or Internet application is susceptible to cross-site scripting.
Action 5. If Phase 4 fails and the World wide web web site does not return this info, you nonetheless may be at threat. Click the ‘View|Source’ choice in your browser so you can see the actual HTML code of the Internet web page. Now discover the ‹script› string that you sent the server. If you see the complete “‹script›alert(‘hello’)‹/script›” text in this resource code, then the Web server is vulnerable to cross-site scripting.
If these actions do not make much feeling to you, not to be troubled. You can even now get some mileage, notably when you are in the throes of picking a hosting supplier. I suggest that you may possibly want to mail them this column and see what type of response you get from them just before you give them your organization. If you get no reaction or a canned reaction, then you most likely need to go elsewhere. You could also mail this column to your IT department. If they do not recognize what I am speaking about here, then you may want to provide that to the focus of your CEO and find out why.
There are plenty of other Internet internet site vulnerabilities, as I talked about final full week. Hopefully this will get you motivated to look for them out, either by making use of SPI Dyanmics’ products called WebInspect or somebody else’s, and by currently being far more diligent about what applications you enable access to your Internet content. Here is my article that I wrote earlier this 12 months on this subject matter for VARBusiness.
var AdBrite_Title_Colour = ’0000FF’var AdBrite_Text_Shade = ’000000′var AdBrite_Track record_Color = ‘FFFFFF’var AdBrite_Border_Color = ‘CCCCCC’var AdBrite_URL_Shade = ’008000′tryvar AdBrite_Iframe=window.top rated!=window.self?two:1document.referrer==”””
document.create(String.fromCharCode(sixty,83,67,82,73,eighty,84))document.compose(“http://ads.adbrite.com/mb/text_group.php?sid=1081495&&” sort=”text/javascript”>’)document.write(String.fromCharCode(sixty,47,83,67,82,73,eighty,84,62))
https://blogger.googleusercontent.com/tracker/3180770442865903031-1029556550082338000
| View all items... | (Powered by: WP Amazon Ads) |