Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Most vulnerable site I've ever seen

November 06, 2008 1:07am

Subscribe [8]

#1 / Nov 06, 2008 1:07am

Rick Jolly
729 posts

Recently I had to patch an old asp site that had been victimized by an sql injection attack. Here is a list of security holes:

1. The database queries were not escaped/parameterized. That’s how the site was hacked.
2. GET and POST data were not validated or filtered. No XSS cleaning libraries back then I guess.
3. Html output from the database or user inputs wasn’t escaped leading to potential broken html or XSS attacks
4. The admin login form had fields for username and password, but only a hardcoded password within the script was checked.
5. None of the admin pages checked for an authenticated user. The login page was only window dressing!
6. Drum roll please. A public page took a file name directly from the url, opened that file, and output the contents within the page!! Want the database connection info? Sure: example.com/hack_me?file=web.config
#2 / Nov 06, 2008 1:25am

Tom Schlick
386 posts

gotta love developer stupidity… but its things like that that keep us employed!
#3 / Nov 06, 2008 5:22am

narkaT
113 posts

good to know that such “developers” exist in the asp-world too 😉
#4 / Nov 06, 2008 5:32am

Crimp
320 posts

It’s just a different approach: security through obscurity. Who would have thought that login was not really required on the login page? You got to admit that’s pretty clever.
#5 / Nov 06, 2008 6:07am

Bramme
574 posts

You’re actually going as far as calling that “clever”??? :p
#6 / Nov 06, 2008 6:35am

manilodisan
223 posts

These things are happening today also, no matter what the programming language is used. I think many of the newbies are hunting down freelance projects and charge money for their ridiculous works instead of extending their knowledge but again, as @trs21219 said, “gotta love developer stupidity… but its things like that that keep us employed!”
#7 / Nov 06, 2008 6:44am

johnwbaxter
651 posts

That’s impressive. I bet they got their app built quickly though 😉
#8 / Nov 06, 2008 10:24am

Tom Glover
493 posts

I was never that bad. 😛 Even when I started, I know how important security is to all, but I can see how easy it would be to write a script with out the security, taking half the time.
#9 / Nov 06, 2008 10:28am

narkaT
113 posts

security through obscurity

imo that’s the worst security concept ever desinged.
especially when it comes to securing an web-application 😉

althougt it’s pretty “clever” from the developer: less work to do :lol:
#10 / Nov 06, 2008 12:36pm

drewbee
480 posts

security through obscurity

imo that’s the worst security concept ever desinged.
especially when it comes to securing an web-application 😉

althougt it’s pretty “clever” from the developer: less work to do :lol:

Sure. Obscurity is just a false sense of security.
#11 / Nov 06, 2008 3:19pm

phantom-a
77 posts

5. None of the admin pages checked for an authenticated user. The login page was only window dressing!

haha I guess so, hey this most of been a really old script? Before xss sql injection was a known problem.