Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacking of asp post info

Status
Not open for further replies.
pwinstanley

pwinstanley

IS-IT--Management
Nov 23, 2000
22
GB
Hi there.

I have a web site that has a game on there. The top score wins a prize and it seems that people are chaning the top socres and putting in what they want.

Can people capturing post data as it is sent from the page to the server and then resend their own data afterwards?

If so what method would they use as this is really annoying me now.

Cheers
Paul
 
Sort by date Sort by votes
What you need to do to stop this is to check the HTTP_REFERER

from every post on your site.

What's happening is that someone's looking at your form action and writing their own little page with their own values and posting it from their own domain.

request.serverVariables("HTTP_REFERER") will return to you the IP address for where the request came from. Just match that against your IP, and only accept the ones that match. Otherwise, just redirect them out of your site, while disabling their account at the same time. ;-)
penny.gif
penny.gif
 
Upvote 0 Downvote
Without seeing your pgms, I couldn't say. Some thoughts.

If you are on a free ASP hosting website, your code and pgms are generally available for other members to view.

A common method that allow alteration of data between post & server is by utilizing Querystrings, by altering data on the Address line (it is hit and miss though).

Alteration of Cookie data is another method (also hit and miss). A database string is a more secure option than either cookies or querystrings.

The list goes on and on. Try utilizing a .txt log file to find out how it happens (if it happens between post & server). Good luck.


 
Upvote 0 Downvote
It is very easy, and quite helpful, to do exactly what they are doing. Just use the WebBrowser Control in VB and a lot or little DHTML knowledge depending on the web pages. It is so helpful to me at work because I have provided my company with automated access to Credit Reports, Zip Code look up, State Department OFAC (Office of "Frozen" er... Office of Foreign Assets Control) listings, etc. to be sure we don't get flim-flammed easily; make them work at it. Compare Code (Text)
Generate Sort in VB or VBScript
 
Upvote 0 Downvote
Sample High-level code.
mobjDHTML is my own DHTML VB wrapper object.
Code: 
Private Sub GoZipCode(Optional ByVal strZipCode As String = "")
    Dim strURL As Variant  'MUST BE VARIANT
    strURL = "[URL unfurl="true"]http://www.xxxxx.com/find_zip_code_results.pl?zip=!!!!!&type=lookup_by_zip&x=&y="[/URL]
    strURL = Replace(strURL, "!!!!!", strZipCode)
    On Error Resume Next        'Don't stop execution, continue on next line
        ClearOutput
        mobjWeb.Visible = True
        mobjWeb.Stop
        mstrDownload = "HandleGotZipCode"
        mobjWeb.Navigate strURL
    On Error GoTo 0
End Sub

Public Sub HandleGotZipCode()
    '*****
    '* ZIP Code - Got
    '*****
    Dim I           As Long
    Dim J           As Long
    Dim strOutput   As String
    Dim blnOK       As Boolean
    Dim lngErr      As Long
    Dim strState    As String
    Dim strCity     As String
    Do
        blnOK = False
        I = InStr(1, mstrHTML, "found no match", vbTextCompare)
        If I > 0 Then
            mstrErrDescription = "Not Found"
            Exit Do
        End If
                
        I = InStr(1, mstrHTML, "city:", vbTextCompare)
        If I = 0 Then Exit Do
        J = InStr(I, mstrHTML, "state:", vbTextCompare)
        If J = 0 Then Exit Do
        J = InStr(J, mstrHTML, &quot;<&quot;)
        If J = 0 Then Exit Do
        strOutput = mobjDHTML.StripTags(Mid$(mstrHTML, I, J - I))
        strOutput = Replace(strOutput, &quot;city:&quot;, &quot;&quot;, , , vbTextCompare)
        strOutput = Replace(strOutput, &quot;state:&quot;, &quot;&quot;, , , vbTextCompare)
        I = InStrRev(strOutput, &quot; &quot;)
        If I = 0 Then Exit Do
        strState = Trim$(Mid$(strOutput, I + 1))
        strCity = Trim$(Mid$(strOutput, 1, I - 1))
        blnOK = True
    Exit Do: Loop
    
    If blnOK Then
        mstrCity = strCity
        mstrState = strState
        mblnOutputAvailable = True
    End If
    mblnFound = blnOK
    mblnBusy = False
    mform.ZOrder 1
End Sub
Compare Code (Text)
Generate Sort in VB or VBScript
 
Upvote 0 Downvote
Also, to touch on a issue that wasn't brought up by any previous replies...

&quot;Hacking&quot; form posts are simple as pie.

All you need is netcat or a telnet comand line.

Basically, all that someone has to do is build manually build the request to your page by opening a connection to port 80 and passing it the expected request data, something like:

GET /directory/pageToGet.asp\ HTTP/1.0
Host: 192.68.0.10
User-Agent: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461)
Content-Type: application/x-

Which will send the page back to the user.

Then all you do is change the form variables to what you want, change the request method to POST and walla, you have just handcrafted the data being posted.

HTH,

- J
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
write HTML code within ASP line
Replies
1
Views
442
xwb
xwb
leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
423
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
358
penguinspeaks
penguinspeaks
Swi
  • Locked
  • Question
JQUERY AJAX POST and how to receive data via Classic ASP
Replies
0
Views
447
Swi
Swi
how2trainyourdragon
  • Locked
  • Question
Request.Server variables blank for classic ASP
Replies
12
Views
790
GriffMG
GriffMG

Part and Inventory Search

Sponsor

Back
Top