ASP password protected application

**riga** · May 26th, 2004, 03:22 PM

How well are protected the files
in my ASP application?

Can anybody break in to http://www.cma-slp.com?

I need to test if the files stored in this application
are well protected?

***cacosapo*** · May 26th, 2004, 03:26 PM

change your message from "user not found" to "user/password invalid". Change at password invalid too. "user not found" is an invitation for trying.

***Juridian*** · May 26th, 2004, 03:29 PM

erm....I wouldn't attempt breaking into the site he posted. Not without some kind of written legal agreement and proof that he owns it. It would be, stupid.

If you need to test it you need to get the skills to do it yourself or go hire a contractor for it.

**riga** · May 26th, 2004, 03:30 PM

Why "USER NOT FOUND"
is an invitation?

What real difference does it make
with "INVALID USERNAME/LOGIN"?

***cacosapo*** · May 26th, 2004, 03:31 PM

"user not found" - userid invalid
"invalid password" - userid is ok, password is invalid.
I can try until find a valid userid
after a valid one is valid, i can try all passwords
but
"userid/password invalid"
where is the error?
harder to guess

just best pratices when ask for userid / password

as our senior member said, i cant go further. It will be a violation of that website.

**riga** · May 26th, 2004, 03:40 PM

Juridian,

We just had a situation when
the document stored in our website
was posted on www.essaycrawler.com
and now the managemenet wants me
to prove that the content can not be stolen
from the site.

What are those skills if you need to test
how secure your website is?

I mean I followed the best practices
in terms of ASP coding - protected
db connection strings,hiding extensions,etc.

But maybe there is something else
I can do to make sure website is
completely protected?

***Juridian*** · May 26th, 2004, 03:49 PM

Cacosapo is quite correct.

I would recommend taking a look at www.owasp.org .

For a quick run through you could take a look at this old paper of mine - http://www.giac.org/practical/GSEC/E...elson_GSEC.pdf

Those two could give you ideas on what to do and where to do further research. You might also go to amazon.com and pick up microsofts book on writing secure web applications or the book 'innocent code'.

I didn't make the post above to make trouble, it is better for auditors if they go through the process the right way and cover their a**. Otherwise they just open themselves up to liability and the possibility of getting a nice policeman at their door.

**riga** · May 26th, 2004, 03:58 PM

Thank you very much, Juridian!

I am reading your PDF document.
It is quite interesting and very detailed.

I'm glad I opened this thread.
I got something.

**bluthund** · May 26th, 2004, 04:03 PM

I know nothing about ASP and very little about securing a web-site. Password protection is
all fine, but have you considered protecting the documents within the site, such as copyrights and a warning that posting these documents without the authors/owners permission may have legal consequences? Since you have found yourself in such a situation, wouldn't it stand to reason that you would have legal recourse if the documents had been protected?

I think that should be your first line of defense. In this day and age of cut, copy and paste,
you have to cover all bases.

**riga** · May 26th, 2004, 04:15 PM

The document that was stolen
is not ander any Copyright protection
or anything.

Yhis site is an Online Accounting Certification Program.
The students simply submit their assignments in Word,
Excel,PDF formats.

We don't have control over the content of the
assignment.

Thread: ASP password protected application

Thread Tools

Display

ASP password protected application

USER NOT FOUND

How to test website security?

Thanks Juridian!

Copyright,etc.

Posting Permissions