sir, can someone explain me my web is asp .net 3.5 i try learn asp by self-thaught and without lecture or anything..today i make a web asp n working in a IT Company where they told me to make web company.. finally the web is finished.and when hosted on a
web hosting ... for a 3months later we got attack where someone inserting a Malicious Javascript (script detected by google) affected to my page :
1. default page,
2. dynamic asp css,
3. view page...
how can someone insert malicious script.. whats wrong with my asp security i little blank about asp security. (my background php dev).
Well although I applaud the fact that you have taught yourself, when it comes to security, really you need to take some formal training. There are in fact many ways to attack a web site, some by obtaining login credentials, sometimes just by weaknesses in
the application itself. However good you are, you will never spot all of these weaknesses yourself, which is why proper training is so important. If you want to spend some time reading up on it then look at owasp.org who have many articles and checklists about
securing your site.
The easiest ways to keep it secure is to check all user input at the server (even if you also check on the client) and make sure that it is very hard therefore to inject anything like SQL or scripts. Remove any unused methods in the code behind, and DO NOT
use a system admin type login between the web application and the database.
Senior Software Developer
*Please mark the thread as Resolved if this answers your question*
initial_a
Member
2 Points
2 Posts
Someone insert a malicious JS to my web.. how can?
Nov 05, 2011 02:08 AM|LINK
sir, can someone explain me my web is asp .net 3.5 i try learn asp by self-thaught and without lecture or anything..today i make a web asp n working in a IT Company where they told me to make web company.. finally the web is finished.and when hosted on a web hosting ... for a 3months later we got attack where someone inserting a Malicious Javascript (script detected by google) affected to my page :
1. default page,
2. dynamic asp css,
3. view page...
how can someone insert malicious script.. whats wrong with my asp security i little blank about asp security. (my background php dev).
Topspy
Contributor
3785 Points
806 Posts
Re: Someone insert a malicious JS to my web.. how can?
Nov 05, 2011 08:56 AM|LINK
Probably a file permission issue on your website folder, you should remove the write access if it's not necessary.
Asp.net Hosting | Windows Hosting | SQL Server Hosting
ignatandrei
All-Star
135047 Points
21654 Posts
Moderator
MVP
Re: Someone insert a malicious JS to my web.. how can?
Nov 05, 2011 08:57 AM|LINK
Talk with your hosting. If they put on css - there is their's fault
initial_a
Member
2 Points
2 Posts
Re: Someone insert a malicious JS to my web.. how can?
Nov 06, 2011 03:25 AM|LINK
thank you sir..
i just try :
1. change my asp header enableEventValidate -> true and validationRequest -> true.
2. re-check file permission..
3. change my hosting account password or ftp...
ignatandrei
All-Star
135047 Points
21654 Posts
Moderator
MVP
Re: Someone insert a malicious JS to my web.. how can?
Nov 06, 2011 07:19 AM|LINK
delete all site and re-deploy
deepakaitr
Member
85 Points
41 Posts
Re: Someone insert a malicious JS to my web.. how can?
Nov 17, 2011 09:08 AM|LINK
Hi...
This is genrally known as cross site scripting attackes.
this can be removed by using AntiXSS library or SRE(security run time engine) in .net
using this no java script injection is possible it will directly expire your web session.
Thanks
lbriner
Participant
795 Points
135 Posts
Re: Someone insert a malicious JS to my web.. how can?
Nov 21, 2011 06:31 PM|LINK
Well although I applaud the fact that you have taught yourself, when it comes to security, really you need to take some formal training. There are in fact many ways to attack a web site, some by obtaining login credentials, sometimes just by weaknesses in the application itself. However good you are, you will never spot all of these weaknesses yourself, which is why proper training is so important. If you want to spend some time reading up on it then look at owasp.org who have many articles and checklists about securing your site.
The easiest ways to keep it secure is to check all user input at the server (even if you also check on the client) and make sure that it is very hard therefore to inject anything like SQL or scripts. Remove any unused methods in the code behind, and DO NOT use a system admin type login between the web application and the database.
*Please mark the thread as Resolved if this answers your question*