locked
constant malicious attacks on website RRS feed

  • Question

  • User708123575 posted

    Hi All,

    I have a web application that is constantly being attacked with malicious web requests..... mainly xss scripts.

    I already have ASP.Net's default page level validations implemented with exceptions being thrown by default.

    Is this safe enough or should i consider looking at additional validation efforts ?

    thanks

    Monday, May 19, 2014 7:53 AM

Answers

  • User281315223 posted

    I usually recommend developers to check out the Web Developer Checklist (which is great for all types of methods of improving your site and application) but in particular the Security section. There is never any "single" thing that you can do to help keep your site / server protected, but rather a series of steps that you can take to make things more difficult for any malicious activity to go on.

    Under there you will find several links and topics such as the following that will help you make your site more secure and help avoid some of the issues that you are mentioning : 

    • Basic Security Best Practices for ASP.NET Applications contains a fairly large list of many of the different areas that you should consider regarding Security in ASP.NET Applications .
    • ASafaWeb ASP.NET Security Analyzer This tool will automatically analyze and notify you of any major security flaws that may exist within your site online.
    • Microsoft Code Analysis Tool You can run this tool to help analyze your code and determine areas that may be at risk for things like Cross-Site Scripting Attacks (XSS), SQL Injection and XPath Injections.
    • Many other tools specifically for helping prevent XSS attacks, SSL Information and Analysis and a few other areas.

    For some additional information on Web Security in general, you may want to check out the Open Web Applications Security Project (OWASP) which is a great resource that contains basically everything you would want to know with regards to security.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 19, 2014 5:16 PM

All replies

  • User-1353043493 posted

    You need to block this request. using request IP address. 

    in Global.ascx at this event Application_BeginRequest

    Monday, May 19, 2014 8:04 AM
  • User708123575 posted

    Yes i do block the suspicious IPs but obviosuly only after the attack has happened.

    i need the app to be more proactive.

    I also block in IIS 

    Monday, May 19, 2014 8:32 AM
  • User-1416423428 posted

    A site I maintain for a client gets thousands of attacks per day... sometimes hundreds every minute. 

    Yes, it's hard and impossible to block each and every IP attack (and will be lots of work too). 

    So I'm real strict on checking the QueryString, because almost all XSS attacks are done via this vector.  On each page, I checked the contents of the querystring and if certain keywords are present, I assume the request is an attack and drop the connection. 

    For example: the following strings should never appear in the querystring of any valid request! They're favorites of hackers, SQL injectors, etc. 

    CAST(
    IFRAME
    <SCRIPT
    UPDATE
    SELECT%20
    CONCAT
    SCHEMA
    NULL
    VARCHAR
    DECLARE
    CONVERT
    -1

    Here's a typical kind of attack (just got this a few minutes ago). I wrote a script to email me when suspicious attacks are happening, so I can see what they're doing. It also gives me the chance to block these hackers' IP address if they're really persistent. 

    Time: hh:mm:ss
    IP Address:  109.163.234.13   <------ yup, actual address of that hacker/script kiddie 
    Server Name: www.*********.**

    Querystring: 
    ID=4603%2F%2A%2A%2FAND%2F%2A%2A%2F2216%2F%2A%2A%2FLIKE%2F%2A%2A%2FCONVERT%28INT%2C%28SELECT%2F%2A%2A%2FCHAR%28113%29%2BCHAR%28104%29%2BCHAR%28109%29%2BCHAR%28117%29%2BCHAR%28113%29%2B%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%282216%2F%2A%2A%2FLIKE%2F%2A%2A%2F2216%29%2F%2A%2A%2FTHEN%2F%2A%2A%2FCHAR%2849%29%2F%2A%2A%2FELSE%2F%2A%2A%2FCHAR%2848%29%2F%2A%2A%2FEND%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29--%2F%2A%2A%2FLEZR

    ... and the other usual practices, i.e. if you're expecting a numeric ID, then accept only if its numeric, etc. 

    Monday, May 19, 2014 3:54 PM
  • User281315223 posted

    I usually recommend developers to check out the Web Developer Checklist (which is great for all types of methods of improving your site and application) but in particular the Security section. There is never any "single" thing that you can do to help keep your site / server protected, but rather a series of steps that you can take to make things more difficult for any malicious activity to go on.

    Under there you will find several links and topics such as the following that will help you make your site more secure and help avoid some of the issues that you are mentioning : 

    • Basic Security Best Practices for ASP.NET Applications contains a fairly large list of many of the different areas that you should consider regarding Security in ASP.NET Applications .
    • ASafaWeb ASP.NET Security Analyzer This tool will automatically analyze and notify you of any major security flaws that may exist within your site online.
    • Microsoft Code Analysis Tool You can run this tool to help analyze your code and determine areas that may be at risk for things like Cross-Site Scripting Attacks (XSS), SQL Injection and XPath Injections.
    • Many other tools specifically for helping prevent XSS attacks, SSL Information and Analysis and a few other areas.

    For some additional information on Web Security in general, you may want to check out the Open Web Applications Security Project (OWASP) which is a great resource that contains basically everything you would want to know with regards to security.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 19, 2014 5:16 PM