[thelist] Website Hacked?

Chris Anderson Chris at activeide.com
Sat May 24 17:36:22 CDT 2008

> Thanks Anthony.  I am checking so that when someone requests a store -
> ie.
> Store.asp?id=300 - if it's not a numeric value then they will get
> redirected
> to the home page.  However, I'm raw on how they could actually get

How do you check it's numeric?
In the past, I've seen library routines that check for numerics just
check for the possibility of it being converted to an integer - and
would consider "300;DROP DATABASE foo" as being numeric, because it can
be converted to a number by just ignoring the right-hand side.

Also - if the hack is using the querystring, check the IIS logs as the
URL used will probably be in there

However, as they are injecting <script> tags, might they be sending
<script> into fields that they have access to? (eg anything in their
account profile if that's relevant, or perhaps when they send in an
order, might it be in the quantity required field, or similar?
(basically anything they can type into)
And remember that even if there is client script to stop such entries,
you only need to disable JavaScript or use a hackers proxy (that allows
you to alter the POST data after the browser has sent it, but before it
leaves there machine, etc))

More information about the thelist mailing list