-
May 26th, 2004, 03:22 PM
#1
Junior Member
ASP password protected application
How well are protected the files
in my ASP application?
Can anybody break in to http://www.cma-slp.com?
I need to test if the files stored in this application
are well protected?
-
May 26th, 2004, 03:26 PM
#2
change your message from "user not found" to "user/password invalid". Change at password invalid too. "user not found" is an invitation for trying.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 26th, 2004, 03:29 PM
#3
erm....I wouldn't attempt breaking into the site he posted. Not without some kind of written legal agreement and proof that he owns it. It would be, stupid.
If you need to test it you need to get the skills to do it yourself or go hire a contractor for it.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
May 26th, 2004, 03:30 PM
#4
Junior Member
USER NOT FOUND
Why "USER NOT FOUND"
is an invitation?
What real difference does it make
with "INVALID USERNAME/LOGIN"?
-
May 26th, 2004, 03:31 PM
#5
"user not found" - userid invalid
"invalid password" - userid is ok, password is invalid.
I can try until find a valid userid
after a valid one is valid, i can try all passwords
but
"userid/password invalid"
where is the error?
harder to guess
just best pratices when ask for userid / password
as our senior member said, i cant go further. It will be a violation of that website.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 26th, 2004, 03:40 PM
#6
Junior Member
How to test website security?
Juridian,
We just had a situation when
the document stored in our website
was posted on www.essaycrawler.com
and now the managemenet wants me
to prove that the content can not be stolen
from the site.
What are those skills if you need to test
how secure your website is?
I mean I followed the best practices
in terms of ASP coding - protected
db connection strings,hiding extensions,etc.
But maybe there is something else
I can do to make sure website is
completely protected?
-
May 26th, 2004, 03:49 PM
#7
Cacosapo is quite correct.
I would recommend taking a look at www.owasp.org .
For a quick run through you could take a look at this old paper of mine - http://www.giac.org/practical/GSEC/E...elson_GSEC.pdf
Those two could give you ideas on what to do and where to do further research. You might also go to amazon.com and pick up microsofts book on writing secure web applications or the book 'innocent code'.
I didn't make the post above to make trouble, it is better for auditors if they go through the process the right way and cover their a**. Otherwise they just open themselves up to liability and the possibility of getting a nice policeman at their door.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
May 26th, 2004, 03:58 PM
#8
Junior Member
Thanks Juridian!
Thank you very much, Juridian!
I am reading your PDF document.
It is quite interesting and very detailed.
I'm glad I opened this thread.
I got something.
-
May 26th, 2004, 04:03 PM
#9
I know nothing about ASP and very little about securing a web-site. Password protection is
all fine, but have you considered protecting the documents within the site, such as copyrights and a warning that posting these documents without the authors/owners permission may have legal consequences? Since you have found yourself in such a situation, wouldn't it stand to reason that you would have legal recourse if the documents had been protected?
I think that should be your first line of defense. In this day and age of cut, copy and paste,
you have to cover all bases.
-
May 26th, 2004, 04:15 PM
#10
Junior Member
Copyright,etc.
The document that was stolen
is not ander any Copyright protection
or anything.
Yhis site is an Online Accounting Certification Program.
The students simply submit their assignments in Word,
Excel,PDF formats.
We don't have control over the content of the
assignment.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|