Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / April 2007

Tip: Looking for answers? Try searching our database.

ASP.net { or any web application } security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Bashar Naffa - 18 Apr 2007 08:40 GMT
Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty models [
neither Windows Nor Forms Auth].
Client can save a complete copy of the web site locally, he can change any
Javascript funciton , then chnage the Action attribute in the form tag to
point to the same page again, & it will submit .

My question is: i want to access my website only within my web site links or
requests, i don't want to accept the previous scenario, also i don't want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change through
http sniffing tools or Packets editor tools.

any Advice ???

Bashar
Reply to this Message
Dominick Baier - 18 Apr 2007 11:50 GMT
Well - you could generate one-time IDs that are only valid for a short period
of time - you could append these to links as a query string.

An HttpModule could check the appended IDs for validity...

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi all,
>
[quoted text clipped - 17 lines]
>
> Bashar
Reply to this Message
Bashar Naffa - 18 Apr 2007 12:26 GMT
hi Dominick

thank for your reply, i already think of your idea, which producing Token &
expiry time. but i don't think this will solve the problem. for example you
set the expiry as 1 min. for every request. then the hacker can save the html
& replace what ever he want within 1 min & submit it back. you got me ?
also, think of big & huge forms to fill, the user may not finish filling the
forms withen that expiry time, so his submit will fail !

by the way, i have another question to you, as security expert, can any
tool, or application , or technology ..etc change the "http refferer" for any
http header request ??

Thanks in Advance
Bashar
Signature


> Well - you could generate one-time IDs that are only valid for a short period
> of time - you could append these to links as a query string.
[quoted text clipped - 27 lines]
> >
> > Bashar
Reply to this Message
Dominick Baier - 18 Apr 2007 14:21 GMT
> by the way, i have another question to you, as security expert, can
> any tool, or application , or technology ..etc change the "http
> refferer" for any http header request ??

what do you mean?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> hi Dominick
>
[quoted text clipped - 46 lines]
>>> any Advice ???
>>> Bashar
Reply to this Message
Bashar Naffa - 18 Apr 2007 14:42 GMT
what i meanis:
do you know "REFERRER" key in any http header ? it tell the server from
whcih URI that request was redirected.
for example
you are in Page1.aspx & click on link that will navigate you to page2.aspx.
check the Request.Headers["Referrer"] in the load event of Page2.aspx, you
find the value of URI Page1.aspx.

in that way , you can detect from where your requests are coming ?  from
inside your application ? or from another sites or local copies.

my question is, can the attacker change this Referrer manually so he can
fake this validation ? like what happen in phishing for example.

I hope this is was clear

> > by the way, i have another question to you, as security expert, can
> > any tool, or application , or technology ..etc change the "http
[quoted text clipped - 57 lines]
> >>> any Advice ???
> >>> Bashar
Reply to this Message
Dominick Baier - 18 Apr 2007 16:46 GMT
Hi,

yes this is easily possible - have a look at www.fiddlertool.com

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> what i meanis:
> do you know "REFERRER" key in any http header ? it tell the server
[quoted text clipped - 76 lines]
>>>>> any Advice ???
>>>>> Basha
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.