Asp – Detect URL Abuse and Hack Attempts

asp.net

I have a website that seems to get more than it's fair share of hacking attempts. It has not been broken yet, but I'd like to build into the system a good way to detect the attempt and block the IP.

Would the best way to detect this be to simply do a string search for phrases like "varchar" and "sysobjects"?

Offending URL: http://www.example.com/default.aspx?id=58 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

Source: System.Web

Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.

User IP: 187.13.142.33

User Browser: Unknown 0.0

User OS: Unknown

Stack trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously)

Best Solution

Would the best way to detect this be to simply do a string search for phrases like "varchar" and "sysobjects"?

Not if you're going to immediately throw an exception when you see them... then you'd be breaking your application if the user decided they wanted to eg. search your site for information about varchars.

If your application is properly written, “XSS protection” hacks like this provide nothing except these occasional breakages. If your application isn't properly written, the ‘protection’ is at best an ineffective obfuscation.

You could certainly log requests that look like they might be attacks so you can go through and review attacker IPs later. Unfortunately this tends not to be as much use as you might think, as so many of the attack scripts are running on networks of compromised servers and botnet trojans, with a huge selection of IP addresses to choose from.

Related Question