Tuesday, 8 May 2012

The Basics Of Avoiding MySQL Injection Attacks In ASP.NET Web Forms

Received in my email today:

Hi

say your blog and thought you might help.

strsql = “SELECT StaffID, DesignationID, StaffName, Password, ShopID from staffT where StaffName =” & UserName.Text & ” AND Password =” & Password.Text & “”

from the string, the username.text and password.text are form controls. what is happening is there are passing null values regardless of what you input in the text boxes resulting in a system error.

“System Error Object reference not set to an instance of an object”

Am using Mysql as the database.

I’m always glad to answer such questions, especially when the questioner is flirting with disaster, as much as this questioner is.

A trained eye can immediately spot the problem with the SQL statement above, aside from the problem of NULL values tossing errors. Namely, it’s wide-open to SQL injection. (And an even keener eye will note that the values for user name and password aren’t delimited with single-quotes.)

So here’s my reply email to the questioner:
Continue reading: The Basics Of Avoiding MySQL Injection Attacks In ASP.NET Web Forms »

Monday, 27 February 2012

Working With authorize.net Server Integration Method (SIM) Payment Gateway, Part 2: Proper Form Design

The most important step in using the authorize.net Server Integration Method (SIM) payment gateway is properly designing your ordering system / shopping cart, well before you ever request payment.

Let me repeat that: If you want a secure, sensible and error-free checkout experience, you need to design a storefront that makes those things possible. Just as it is with building a house, if the foundation is crap, it won’t stand up to a storm.

I promised in a recent post to show how to properly send transaction requests to SIM. So, here’s the first step: An overview of best practices, and a sample order form that follows them.

Let me offer this, right up front: If your Web sales are casual — say, you want to let people buy annual banquet tickets online, or you sell a couple coffee mugs / T-shirts each week — you should seriously consider using a third-party turnkey solution.

The legal, practical and technical requirements of running your own ecommerce solution generally aren’t worth the hassle if you’re not doing a significant volume of sales.

I like EventBrite for handling ticket sales and CafePress for selling merchandise. There are other storefront options out there, but those are ones I have used and found reliable.

That said, there are circumstances where low-volume sellers still need custom ecommerce solutions. So, with that in mind, let’s cover the basics of making a secure, simple ordering system.
Continue reading: Working With authorize.net Server Integration Method (SIM) Payment Gateway, Part 2: Proper Form Design »

Thursday, 23 February 2012

Working With The authorize.net Server Integration Method (SIM) Payment Gateway, Part 1: Don’t Use JavaScript

I got an email a few days ago from a reader seeking help with the authorize.net Server Integration Method (SIM) credit card payment gateway.

Specifically, he was asking how he could use JavaScript to pass a calculated total to a PHP page that contains the SIM code.

  • A customer chooses a series of options from some select lists, radio buttons and the like;
  • the page calculates an order total;
  • the end user hits a submit button;
  • the results are posted to the SIM processing page, which acts as a “confirmation page”; and
  • The customer presses another button, which takes him to authorize.net to provide payment info and actually charge the card.

You can see an approximation of what I’m talking about here: http://www.dougv.com/demo/js_form_values. The questioner’s form is similar to this approximation in function.

I will show how to properly customize a SIM form, and submit payment requests to authorize.net via SIM, in an upcoming post. This post explores why it’s a terrible idea to process order forms with JavaScript. That is, it’s about the wrong way to use SIM. Stay tuned for the right way.

Continue reading: Working With The authorize.net Server Integration Method (SIM) Payment Gateway, Part 1: Don’t Use JavaScript »

Monday, 10 October 2011

Book Review: The Art of Deception: Controlling the Human Element of Security

The problem with “The Art of Deception” is its age and the limited scope of the exploits Kevin Mitnick discusses.

Almost every (usually fictional) exploit that Mitnick describes involves exploiting large organizations — places where there are clear heirarchies, overlapping departmental responsibilities and integrated networks.

Also, a significant amount of what he discusses involves phone phreaking; given that was how he cut his teeth in the social engineering game, it’s not surprising.

But when you read an example that involves dialing in to a Nortel DMS-100, you know you’re reading dated material. Sure, some companies still use 30-year-old telephone switches, and PBX is still a highly exploitable technology. But an update to 21st century tech is sorely wanted here.

Generally speaking, every example Mitnick provides for a successful social engineering attack comes down to three basic steps:

  • Get a name and title on someone in a large company.
  • Call a low-level employee on the telephone, masquerading as that person, and ask for some information that lines up the target.
  • Call the target, repeat the information given by the low-level employee, get the target to compromise the system.

Sure, this can work — if you target large enough an operation. But what about small companies? Or individuals? Or non-corporate espionage? They go largely unaddressed.

Continue reading: Book Review: The Art of Deception: Controlling the Human Element of Security »

Friday, 8 July 2011

News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging
Cell Phones

flickr /compujeramey

This is nitpicky, and I certainly don’t mean to take lightly the seriousness of the matter. But I do want to clarify that the News of the World wasn’t technically “hacking” voicemail in its scandal. It was engaged in social engineering.

For those of you who missed the headlines (and for the benefit of posterity): News of the World was (until July 10, 2011) a Sunday tabloid; like most British tabs, it’s best known for printing racy pictures of women and sleazy stories.

News of the World  hired a private investigator to help it research stories. That contractor gained access to a number of voicemail accounts, including those of a murdered 13-year-old girl, several soldiers killed in the Middle East conflicts, and royal family members.

All the shoes involved here haven’t yet dropped, but as of this writing the scandal has closed the paper after 168 years of publication; threatens to bring down Prime Minister David Cameron; has led to several arrests and may well result in additional restrictions on Great Britain’s press. (Even overwhelmingly reasonable pundits, such as The Economist, are calling for a mucking out of British journalism’s stables.)

The entire affair is loathsome, no question about that, even for the British press, nefarious for its “chew people up and spit them out” appetite. It’s also caused other world press outlets to term what News of the World did “phone hacking,” needlessly worrying people who have taken reasonable steps to secure their voicemail that they, too, might be targeted.

So I want to clear things up. If you’ve changed your voicemail password (PIN), you almost certainly can’t be violated in the way News of the World violated its victims.

Continue reading: News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging »