View Full Version : How secure is ASP??
04-03-2003, 06:49 PM
I just want to know if anyone knows? Here is the scenario, if I check for username and password inside the code instead of against a DB can that be cracked? ie.
player = Request.Form("username")
If player = "Mike" then
.... do something
how secure is this?
04-03-2003, 07:22 PM
that is as secure as anything on the web can get. Can it be found by a determined hacker? of course! However, a determined hacker can get in anything. That leaves us with like 99.5% of the population left and they will not be able to find your password.
04-03-2003, 07:33 PM
I know a magician never tells, but how would a hacker get into your files? It is something I often think about when choosing passwords and consider using internet backing etc... but I have no idea how they even go about it let alone what you can do to protect yourself against it? Any tips?
04-03-2003, 08:40 PM
LOL! if you know please don't tell. I am hoping that the only way to get to the code in my asp file is to hack the server. I guess my next question can not even be asked to protect the innocent.
04-03-2003, 09:12 PM
A hacker can only get into your computer if you computer is able to have a file they put into it, execute.
If I made a server in VB that allows people to connect to your computer with a client I made, and allows them to do whatever they wanted, then that would be considered a "HACK" if they did this without your knowing or your permission.
So, as long as a "trojan" isn't put on your computer for you to run it (or something else to run it) then you should be fine from hackers.
Also, the fact remains, it's easier for anyone to find and steal your username and password (Guess even!) then it is for them to hack into a computer and steal and ASP file or a database which SHOULD be placed out of the wwwroot folder...
So, if you are making accounts for your little friends to login and type a message on your forum, then using a database or having their name in a string in a page is fine.
If you really want to protect yourself from those big bad hackers out there that are working 24/7 trying to get into your computer, learning new languages, following what you do on a computer just so they can find a vulnerable spot, or have a file sent to you, so you can download it and run it... Then you will have to find out what banks do... and they do alot more expensive methods then you can ever find out...
04-03-2003, 09:43 PM
04-04-2003, 07:38 AM
Hacking in the true sense of the word is to learn a programming language really quickly.
Why do you even ask. So many secrets ?
Personally, i would never go with a hardcoded pasword. Cause you'll (probably) nead to share it with others and this creates some additional risks. (either it wount be so easily for them to remember as it was for you and they'll write it down or they think its not that big of a secret since you told them). You probably wount change it as much as if it was a password that's stored in a db.(again, you'de have to inform all the others !!) You might have a copy of your code on your own machine? (Maybe there are even some copys of it in your recyclebin or /temp directory. + you woun't know who logs on (wich could ;) be valuable information)
--> As a technique, it's quite safe, but it'll have some consequences.
I always go for validation against db. (So hackers have to get into my db as well to get there hands onto the data. If the loginproces has not been performed exactly right, none of the pages will be executed) If it really needs to be safe, i check for the IP number and have a counter that blocks of an IP if he had 3 unsuccesful trials (be sure to disable it on your developping machine !! :)) I then also (in addition to the password and IP checking) work with an automatically generated key, thats stored in a cookie. User has only acces on a computer where a key was generated and stored. To generate the key, he/she needs a disk I sent him/here. Disk can only be used the first ten days.
My bank was sort a simmilar system (i think) (never used it by lack of money:D). They sell (!!) you a 'digipass' (10 $ or so), and each time you want to logon, you see a number on the screen (After typing in the usual password and username) You need to type in that number in your digipass, and this then computes your acces code. So there must be some sort of communicating algoriths be running on both their servers and your digipass. (must have somethingto do with a unix-counter or date or whatever timevariable)
I'm not sure, but it should be possible to set up the same thing with a regular disc. So instead of computing a key once, and store it on the PC, you'de then be generating it each time they log in.
And off coarse there always remain retina-scan and fingerprinting pads. Maybe in the future, if everybody was some sort a card-reader...
If you're users run serious risks (money, very personal or valuable info), then make sure they sign a contract before they get access to your app. Include specification like "provide the best possible security", "more info on this address", "client agrees that the taken security measures are sufficient" ... doesn't look impressif, but they were included in the contract my bank made me sign before allowing me to use there service. What's more, i even signed it, withoud actually knowing the taken security-measures !! But that's how people work. The sign everything if they want the service ... Maybe some of you guys signed a similar agreement with there host ... (Just make sure that your safe and make it real difficult to get sueed ... and for hackers to get in)
04-04-2003, 02:19 PM
Yeah, we all have our own tricks..
I do what Raf does, but unforunatly, if a person is trying to crack into an account, I let them... I don't think they should be banned or what not because they failed to type in their own password 3 times...
I know I have screwed up trying to type my password "P.A.S.S.W.P.R.D".... "P.S.S.W.O.R.D".... "P.W.o"....
Well, atleast give them a warning, that you bann them like that...
banning them has a puprose.
i only implement that if i need thight security. Else, i just have the counter in a session variable and after 3 trials, i redirect (but keep the session alive) So they need to close all windows and get back to the logon page.
But when security needs to be tight. I dont allow that IP to try again for 24 hours.
On internet, most common users have dynamic or bogus IP's ... (you'll know what i mean), otherwise i would even keep a black list to permanently denie the access. On an intranet. I would go even further and three wrong trials means the user is disabled.
This way, you're shure they'll contact the admin or helpdesk and this gives you quite a good view of what sort a users you've got.
04-04-2003, 04:09 PM
Thanks fellas, I use an excrypt algo for all information going to and from a DB so only the computer knows. Hell if I look inside the DB I wouldn't know what info is in there. If there is more to know please let me know, and I disagree that hacking is learning quickly. Hacking is using your resources to be resourceful, in an unconventional way.
That's just my opinion I could be wrong. :thumbsup:
04-04-2003, 10:02 PM
"Hacking is using your resources to be resourceful, in an unconventional way." I very much agree with this statement.
Calling someone a hacker should intent they are playing around with code that they do not understand enough of trying to get it to work in their eyes. But, of course, there is the term hacking, which is now used as a name for doing something illegal or wrong: Breaking into another computer, applying cheats to a game, making programs to do damage.
i 4|v| $uc|-| 4 L33t |-|4><><0r...