ASP password protected application
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: ASP password protected application

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    7

    ASP password protected application

    How well are protected the files
    in my ASP application?

    Can anybody break in to http://www.cma-slp.com?

    I need to test if the files stored in this application
    are well protected?

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    change your message from "user not found" to "user/password invalid". Change at password invalid too. "user not found" is an invitation for trying.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    erm....I wouldn't attempt breaking into the site he posted. Not without some kind of written legal agreement and proof that he owns it. It would be, stupid.

    If you need to test it you need to get the skills to do it yourself or go hire a contractor for it.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  4. #4
    Junior Member
    Join Date
    May 2004
    Posts
    7

    USER NOT FOUND

    Why "USER NOT FOUND"
    is an invitation?

    What real difference does it make
    with "INVALID USERNAME/LOGIN"?

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    "user not found" - userid invalid
    "invalid password" - userid is ok, password is invalid.
    I can try until find a valid userid
    after a valid one is valid, i can try all passwords
    but
    "userid/password invalid"
    where is the error?
    harder to guess

    just best pratices when ask for userid / password


    as our senior member said, i cant go further. It will be a violation of that website.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Junior Member
    Join Date
    May 2004
    Posts
    7

    How to test website security?

    Juridian,

    We just had a situation when
    the document stored in our website
    was posted on www.essaycrawler.com
    and now the managemenet wants me
    to prove that the content can not be stolen
    from the site.

    What are those skills if you need to test
    how secure your website is?

    I mean I followed the best practices
    in terms of ASP coding - protected
    db connection strings,hiding extensions,etc.

    But maybe there is something else
    I can do to make sure website is
    completely protected?

  7. #7
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Cacosapo is quite correct.

    I would recommend taking a look at www.owasp.org .

    For a quick run through you could take a look at this old paper of mine - http://www.giac.org/practical/GSEC/E...elson_GSEC.pdf

    Those two could give you ideas on what to do and where to do further research. You might also go to amazon.com and pick up microsofts book on writing secure web applications or the book 'innocent code'.

    I didn't make the post above to make trouble, it is better for auditors if they go through the process the right way and cover their a**. Otherwise they just open themselves up to liability and the possibility of getting a nice policeman at their door.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  8. #8
    Junior Member
    Join Date
    May 2004
    Posts
    7

    Thanks Juridian!

    Thank you very much, Juridian!

    I am reading your PDF document.
    It is quite interesting and very detailed.

    I'm glad I opened this thread.
    I got something.

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    I know nothing about ASP and very little about securing a web-site. Password protection is
    all fine, but have you considered protecting the documents within the site, such as copyrights and a warning that posting these documents without the authors/owners permission may have legal consequences? Since you have found yourself in such a situation, wouldn't it stand to reason that you would have legal recourse if the documents had been protected?

    I think that should be your first line of defense. In this day and age of cut, copy and paste,
    you have to cover all bases.

  10. #10
    Junior Member
    Join Date
    May 2004
    Posts
    7

    Copyright,etc.

    The document that was stolen
    is not ander any Copyright protection
    or anything.

    Yhis site is an Online Accounting Certification Program.
    The students simply submit their assignments in Word,
    Excel,PDF formats.

    We don't have control over the content of the
    assignment.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •