davejose — 2010-11-23T20:33:30-05:00 — #1
I run a site for my brother's band that recently has had a SQL injection vunerability come to light. Luckily , I patched it just in time , but I know of others who werent so lucky, and that all their hard work was wiped out in a matter of minutes by some ( being very kind here! ) mean spirited sadists.
Not looking to do anything drastic here , but should they enter the appropriate URL string that ( would have ) lead to them attempting the SQL injection , a pop up will appear telling them that their ISP has been alerted , IP has been noted , etc etc...
Since I suspect that the majority of people attempting this are script kiddies I'm hoping that some good may come of this , and that they may see the error of their ways. Idealistic I know...
If anyone can even point me in the right direction as to how to code this I would be most grateful, as JS isnt my strongpoint unfortunately.
paul_wilkins — 2010-11-23T20:37:13-05:00 — #2
Because there are a vast number of ways for exploits to occur, many of which are not capable of being captured by scripting, your best bet is to notify everyone that their ip address has been recorded.
system — 2010-11-23T20:41:58-05:00 — #3
and that you are sending someone around to re-adjust their attitudes :whip: :badpc:
paul_wilkins — 2010-11-23T21:53:30-05:00 — #4
Getting a bit more detailed about things, all client-side scripting is freely available to be seen by your visitors.
If you have clever scripting that's watching things like form values for potential exploits, it's possible that even though you'll catch some genuine attacks, there will also be the possibility of triggering on false positives. That gives unaware people the knowledge that you are actively checking, and some of those people will think to look at your script, which they have full access to, and will see your code that checks for all of the exploits that you know about. That then helps your visitor to know about exploits that they may not have previously known about.
tl;dr: Do not provide public access to what you want to keep private.
system — 2010-11-23T22:14:08-05:00 — #5
a wise person once told me
Prevention is better than to cure
bottom line: make sure all user inputs are validated and sanitised on the server before processing in any way and make sure your file and directory permissions on your server will keep out prying eyes
I also put a default index.htm in each subdirectory below the site's root directory.
paul_wilkins — 2010-11-23T22:24:44-05:00 — #6
Handling Input and Output
oddz — 2010-11-23T22:31:35-05:00 — #7
I'm not saying I have done it, but I think attempting to exploit a site is a great way to determine its level of security. For example, if one is able to exploit a site with something as simple as SQL injection, than who knows what other security holes exist. I don't want those types of sites storing my personal information, especially any credit card info. In my opinion the fault always lies with the person who built the software, not the person who attempted or succeeded with an exploit. Especially for something that is so simple to prevent – SQL injection. Other things that less preventable, perhaps, but SQL injection is a cake walk.
system — 2010-11-23T22:35:32-05:00 — #8
Imho both are at fault.
something else a wise person once told me.
Two wrongs don't make a right
oddz — 2010-11-23T22:41:25-05:00 — #9
Bad software, is normally cheap software so its good to see people get what they paid for. Next time around they may just think twice. I don't even believe SQL injection is directly punishable by law. Its seems like there would have to be some of theft involved. Removing data isn't really theft. Than again who knows with how outdated the cyber crime laws are. Perhaps one of only cases were it is punishable by law for normal every day site is stealing financial information. However, deleting it isn't really stealing it imo.
paul_wilkins — 2010-11-23T22:42:28-05:00 — #10
Sometimes a first attack cannot be prevented. There is no crime in ignorance, but continued ignorance is to be avoided.
Learning from an attack to help prevent similar ones from occurring is to be commended. That's what I see from the original poster.
This is why I feel that it's beneficial for us to direct his efforts so that they will protect him in ways that will prove to be most fruitful.
system — 2010-11-23T22:47:55-05:00 — #11
yep agree :agree:, deleting is not actually stealing but where I live there are laws against deliberate and malicious damage to other peoples' property.
I think of it this way.
If I leave my house unattended with the front door open and someone comes in and trashes the place then, although I haven't done anything illegal (luckily you can't legislate against stupidy :lol:) I am still at fault for my lapse in security and the person who trashed my place has committed a criminal offence even if he didn't steal anything.
system — 2010-11-23T22:53:24-05:00 — #12
yep totally agree :agree: but whether through no fault of their own or not, the person who originally built the site is still "tecnically" at fault imo.
but I agree that learning from that mistake and doing something about it is commendable.