Reputation: 47377
Detect URL Abuse and Hack Attempts
I have a website that seems to get more than it's fair share of hacking attempts. It has not been broken yet, but I'd like to build into the system a good way to detect the attempt and block the IP.
Would the best way to detect this be to simply do a string search for phrases like "varchar" and "sysobjects"?
Offending URL: http://www.example.com/default.aspx?id=58 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0
Source: System.Web
Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.
User IP: 187.13.142.33
User Browser: Unknown 0.0
User OS: Unknown
Stack trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously)
Upvotes: 4
Views: 2111
Answers (2)
Reputation: 2754
If you really want to detect (and eventually block) the intruders, perhaps going an alternate route and install a Firewall with an intrusion protection system would be helpful. Especially if the firewall could be block the offending host for a short while. Afaik Astaro has such a system. This way, the application is physically isolated with the intrusion detection logic, and cannot (easily) compromise each other.
On topic, I think the best way to handle SQL injection is to log the attempt, not block it. Of course, you should first let the system undergo a thorough code-inspection to find any loose ends. Be sure to sanitize all tainted data (from user input or otherwise), use parameterized queries and code defensively.
Upvotes: 0
Reputation: 536379
Would the best way to detect this be to simply do a string search for phrases like "varchar" and "sysobjects"?
Not if you're going to immediately throw an exception when you see them... then you'd be breaking your application if the user decided they wanted to eg. search your site for information about varchars.
If your application is properly written, “XSS protection” hacks like this provide nothing except these occasional breakages. If your application isn't properly written, the ‘protection’ is at best an ineffective obfuscation.
You could certainly log requests that look like they might be attacks so you can go through and review attacker IPs later. Unfortunately this tends not to be as much use as you might think, as so many of the attack scripts are running on networks of compromised servers and botnet trojans, with a huge selection of IP addresses to choose from.
Upvotes: 1
Related Questions
- How to decline malicious requests
- Catching IP from users trying to acces nonexisting urls in a MVC application
- Preventing Url manipulation attacks with MVC?
- Block URL's and Invalidate them
- How to deal with malicious web requests
- Detect malicious URL destination?
- How to validate incoming Urls?
- Check malicious Redirect URL in ASP.NET
- How to Monitor Genuine Page Hits
- ASP.NET website attack: How to respond?