Database being hacked [Resolved]

Posted by Modit under Sql Server on 1/5/2016 | Points: 10 | Views : 2384 | Status : [Member] | Replies : 4

Write New Post |

Search Forums | Answered

Resolved Posts |

Un Answered Posts |

Forums Home

i have created a website in asp.net, issue is my website is being hacked.

While checking the database the records are begin updated with css.

For eg i have a column imgLoc varchar(500) , the value was b50cf447-0technica.jpg , now the values are updated to

b50cf447-0technica.jpg</title><div style="display:block; text-indent:-3573px;"><a href="http://buy-cialis-onlineusa.com">cialis</a></div>

Any solutions why this is happening.

[Resolved]

Reply | Reply with Attachment

Alert Moderator

Responses

Posted by: Rajnilari2015 on: 1/5/2016 [Member] [Microsoft_MVP] [MVP] Platinum | Points: 50

1	Yes , there is indeed a solution. We also perform security testing in our project and the top 10 security vulnerabilities are listed by Open Web Application Security Project(OWASP) are ( http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html ) : 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards This is the industry practice that we must follow to secure our website. Specific to the question being asked, the security issue occurred most likely because of the violation of (1) and (2). For (1), the probable solution will be - Use parameterized query - Use ORM tools like EF - Use regular expression to discard input string e.g. Regex(@"^0[1-9][0-9]$") For (2), the probable solution will be - Use DataAnnotations to preform white-list validation using regular expression e.g. [RegularExpression(@"^[a-zA-Z''-'\s]{1,400}$", ErrorMessage = "Characters are not allowed.")] public string Message { get; set; } - Perform Output Encoding by using Server.HtmlEncode - Open Nuget and install AntiXSS package and then use the sanitizer for this. Hope that helps. Let us know if any concern. Thanks -- Thanks & Regards, RNA Team Modit, if this helps please login to Mark As Answer. \| Alert Moderator

Yes , there is indeed a solution.

We also perform security testing in our project and the top 10 security vulnerabilities are listed by Open Web Application Security Project(OWASP) are ( http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html ) :

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

This is the industry practice that we must follow to secure our website.

Specific to the question being asked, the security issue occurred most likely because of the violation of (1) and (2).

For (1), the probable solution will be

- Use parameterized query
- Use ORM tools like EF
- Use regular expression to discard input string e.g. Regex(@"^0*[1-9][0-9]*$")

For (2), the probable solution will be

- Use DataAnnotations to preform white-list validation using regular expression e.g.

[RegularExpression(@"^[a-zA-Z''-'\s]{1,400}$", ErrorMessage = "Characters are not allowed.")]
public string Message { get; set; }

- Perform Output Encoding by using Server.HtmlEncode
- Open Nuget and install AntiXSS package and then use the sanitizer for this.

Hope that helps.

Let us know if any concern.

Thanks

--
Thanks & Regards,
RNA Team

Modit, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Sheonarayan on: 1/5/2016 [Administrator] HonoraryPlatinum | Points: 25

1	This specific issue seems to be Spammers trying to populate your database. The ideal solution to this problem is what Rajnilari2015 said. You can also do following to avoid this. 1. If the website is public, restrict it to be used by only logged in user. Get a confirmation email before allowing them to login (the way DotNetFunda.com does, you will have to confirm your registration) 2. Use parameterized statement to insert, update, delete records from the database. Read this http://www.dotnetfunda.com/articles/show/1524/how-to-insert-records-into-the-database. This is the most important step, your database is vulnerable if you are not using parameterized statement. Someone can even delete your entire records from the database or delete the table itself. 3. If the website is not public, restrict the access by using Windows Authentication or use role based authentication (article is there on DotNetFunda.com on how to create role based authentication). 4. To restrict html code being submitted to the server, use validateRequest="true" in Page directive for that specific page or do it in web.config file for entire website. 5. Get your code reviewed by some experienced person, a lot of other loop wholes may be there. 6. See that your passwords and other configuration information are not leaked out, change them. However whatever is suggested here, if you follow them then rest assured that you are safe. Hope this helps. Thanks Regards, Sheo Narayan http://www.dotnetfunda.com Modit, if this helps please login to Mark As Answer. \| Alert Moderator

This specific issue seems to be Spammers trying to populate your database. The ideal solution to this problem is what Rajnilari2015 said. You can also do following to avoid this.

1. If the website is public, restrict it to be used by only logged in user. Get a confirmation email before allowing them to login (the way DotNetFunda.com does, you will have to confirm your registration)

2. Use parameterized statement to insert, update, delete records from the database. Read this http://www.dotnetfunda.com/articles/show/1524/how-to-insert-records-into-the-database. This is the most important step, your database is vulnerable if you are not using parameterized statement. Someone can even delete your entire records from the database or delete the table itself.

3. If the website is not public, restrict the access by using Windows Authentication or use role based authentication (article is there on DotNetFunda.com on how to create role based authentication).

4. To restrict html code being submitted to the server, use validateRequest="true" in Page directive for that specific page or do it in web.config file for entire website.

5. Get your code reviewed by some experienced person, a lot of other loop wholes may be there.

6. See that your passwords and other configuration information are not leaked out, change them.

However whatever is suggested here, if you follow them then rest assured that you are safe.

Hope this helps.

Thanks

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Modit, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Vuyiswamb on: 1/5/2016 [Member] [MVP] [Administrator] NotApplicable | Points: 25

0	i m sorry to hear that you have been hacked. but this means that you are not securing your Database. i dont think you were hacked from your ISP , i think you were hacked from your application. 1) Change the DB Server's password 2) Take down your Application 3) Re-strategize else you will loose data. 4) Plan for a Data Cleanup , from what i see a single SQL statement can clean that DB field to the way it was. also check with your ISP if they can give you the backup with data before this happened. if you need my assistance let me know , need need to scan through your application and see the code that has issues Thank you for posting at Dotnetfunda [Administrator] Modit, if this helps please login to Mark As Answer. \| Alert Moderator

i m sorry to hear that you have been hacked. but this means that you are not securing your Database. i dont think you were hacked from your ISP , i think you were hacked from your application.

1) Change the DB Server's password
2) Take down your Application
3) Re-strategize else you will loose data.
4) Plan for a Data Cleanup ,

from what i see a single SQL statement can clean that DB field to the way it was. also check with your ISP if they can give you the backup with data before this happened.

if you need my assistance let me know , need need to scan through your application and see the code that has issues

Thank you for posting at Dotnetfunda
[Administrator]

Modit, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Modit on: 1/5/2016 [Member] Starter | Points: 25

0	Thank you Rajnilari2015 i will try the procedures you have mentioned. Dear Vuyiswamb issue is all the tables are being effective , only fields that have nvarchar(max) are not being updated. Modit, if this helps please login to Mark As Answer. \| Alert Moderator

Latest Posts