inject malicious code

[orange08]

recently i found i'm really confuse in some security concept...hope experts here can help me to clear the confuse...

 

we always mention that hacker inject malicious code into website, then saying that it's important to validate or filter user input to prevent this type of code injection...

 

for what i'm know, hacker can inject malicious code through website's text field, form field, and query string. so, we can filter input from these source to prevent the code injection or attack...

 

but, can hacker inject code through other ways? like can they inject code to a simple URL which is got no query string(e.g www.mysite.com/testpage.php)...can they just put malicious code at the back of such URL? this is my main confuse?

 

and recently, i came across http header injection and meta tag injection...i just can't understand how these injection perform? through normal textfield, form field, and query string? or...can just put the malicious code at the back of the normal URL?

 

really need experts clarification in this case! thanks in advance!

[cags]

I certainly wouldn't consider myself an expert, but heres my 2 pence worth.

 

There are alot of different types of attacks that can occur on a website, some are generalised things that all sites should be wary of, others are tailored more specific to a single site. Some of the most widely used hacking/security terms are as follows...

 

SQL Injection Attacks - Where a hacker uses sql to insert unwanted commands into a query. In it's least dangerous form this may allow a user to authenticate without a valid username/password, in more complex forms it could give them complete access to your db structure etc. etc.

 

XSS - Also called CSS sometimes, but that has an obvious confusion factor. Cross-site scripting attacks are where you allow a hacker to insert information into your site (whether it be db or flat file) that will be displayed back to other users. If this information isn't filtered there are all kinds of nasty tricks hackers can employ.

 

CSRF - Sometimes called session riding because it exploits the trust a website has in an authenticated user to cause damage.

 

In a more specific response to your question, can somebody damage your site by adding information to the end of a standard URL, the answer is no. Assuming that the page doesn't parse the URI in anyway ($_GET, $_REQUEST) there's no way anything put on the end of a URL can cause damage.

 

The basic ethos of securty DON'T TRUST ANYTHING THE USER CAN DIRECTLY CONTROL. Never use a value from $_GET, $_POST, $_REQUEST or $_COOKIE without validating it. Validating with JavaScript is fine for user feedback, but not for security. Don't assume that a user cannot change a form variable just because it's not visible on the site. It's very easy for a user to change the value of an <input type"hidden" /> or any other type of form element. Providing you do that and you do it well, you should be safe.

[orange08]

 

In a more specific response to your question, can somebody damage your site by adding information to the end of a standard URL, the answer is no. Assuming that the page doesn't parse the URI in anyway ($_GET, $_REQUEST) there's no way anything put on the end of a URL can cause damage.

 

 

thanks for the info...

 

the reason i have such worry is because i found these in a tutorial...

http://online.worldbank.com/<script>document.cookie="sessionid=1234";</script>.idc 

 

http://online.worldbank.com/<meta%20http-equiv=Set-Cookie%20c
ontent="sessionid=1234;%20Expires=Friday,%201-Jan-2010%2000:0
0:00%20GMT">.idc 

 

from the URL, i notice that there is no any clue of $_GET, $_REQUEST...why those malicious code can just be appended at the back of the link?

[cags]

Hmm... I would assume that the site must be parsing the URL in some other way like using mod_rewrite. To my knowledge it would be impossible to attack a site otherwise. It's possible I'm wrong, but I'd be surprised as I've never seen anything about it.

[orange08]

Hmm... I would assume that the site must be parsing the URL in some other way like using mod_rewrite. To my knowledge it would be impossible to attack a site otherwise. It's possible I'm wrong, but I'd be surprised as I've never seen anything about it.

 

as a newbie, i just know some of the basic knowledge of web application and php, so when i see such example of URL attack, just make me confuse with it...maybe you are right, mod_rewrite is used in that case...

[Mchl]

This example comes from Session Fixation Vulnerability in Web-based Applications where it states it can be used in Microsoft's ISS. I don't know ISS, but maybe it's something specific to this server.

[orange08]

This example comes from Session Fixation Vulnerability in Web-based Applications where it states it can be used in Microsoft's ISS. I don't know ISS, but maybe it's something specific to this server.

 

yup, i read it from there...

 

as a newbie, i'm really don't know what's that...

 

so, you meant for normal case, normal server, should not have such things happen?

[Mchl]

If by 'normal server' you mean Apache, then all I can say is: I don't know of any way this would work without some sort of url rewriting. I am no expert on this though.

[redarrow]

Don't worry about hackers hacking your web site, just make sure you validate all variables and user input from forms and urls using the $_GET[''] method.

 

Trust me, if you continue to look for what hackers, are trying to do or doing to get information from a web site, you wont even do computer programming..

 

forget it and continue programming with as much security, you can add to protect your code, as passable.

 

don't drive you self mad, over hackers.

 

there thousands of tricks and tips any programmer with the knowledge can tell you ways in and out of web sites but it is not worth worrying about it.