Is this a Bot modifying my URLs for some tracking purpose? - sql-server

I don't know if this is bad code on our part, or a bot/spider doing something for tracking purposes. What I'm seeing is our URLs are getting modified, and it's generating site errors and error emails that I'm set up to get when it seems like my site is being hacked.
For example, a URL that should read/load like this
http://site.com/page.asp?pid=915411&order=Date
gets loaded like this
http://site.com/page.asp?pid=-1'&order=Date
the email I get shows
query string = pid=-1%27&order=Date
The IP address that comes up in the error emails always change, but many point to Kiev or Minsk, but are so varied I don't see how I can stop this from happening easily. My site is on an IIS 7.5 server, win2008.

Someone is trying to hack your application. They are testing if your application uses values from the forms or URL directly into SQL statements.
This hacking attempt is easy and called "SQL injection". Check your application if it is vulnerable, fix it immediately if required.
Additionally, try to track the attackers and if you see them coming from a set of IP addresses, block them.

Using HTTP_REEFER we are able to control the URL Modifying on directly.
Try the below code
if Request.ServerVariables("HTTP_REFERER") = "" Then
RESPONSE.WRITE " <b><h1><font color=blue></font><font color=red>UNSECURED MENU ACCESS</font><font color=blue></font><h1></b> "
response.end
End if

Related

mail clients stripping part of angular url

I am sending a signup activation email containing a signup confirmation url with a confirmation token that points to an angular front end app:
...
Activate
...
Note that the token is a JWT and is fairly long.
This works find for most users, but for some clicking on the link takes them to https://domain/com only without the confirm-signup?token=...
It seems as though the mail client may be stripping off everything after the #, but I can't find any evidence of others having this problem, nor can I reproduce it.
My best guess so far is that some mail clients are seeing the # and somehow treating the trailing part as an internal anchor and stripping it...?
Has anyone else encountered this sort of problem? If so, have you found any solution short of replacing the whole mechanism with something else?
Some clients treat the hash-link just fine. Others don't. There's a conversation about Outlook being dirty about this here: Outlook strips URL hash from email
What we did to resolve this at our company is simply create a handler on our server that redirects. Your email link would become http://domain.com/email-link?url=https%3A%2F%2Fdomain.com%2F%23%2Fconfirm-signup%3Ftoken%3D1234 and your server side script would grab the query param url and immediately trigger a redirect.
You'd need to make sure that you find all links in your emails and replace them. Here's a PHP function for that, but you could do this in whatever backend language you're using. Regex here may be helpful at least.
function replaceLinks($html,$hash) {
return preg_replace_callback('/<a [^>]*href=[\"\']{1}(.+?)[\"\\\']{1}/', function($matches) use ($hash) {
return str_replace($matches[1],"http://domain.com/email-link?url=".rawurlencode($matches[1]),$matches[0]);
}, $html);
}
Yes I have encountered this issue before because of the #, I was trying to link to a anchor on a landingpage.. My solution ended up using a short.url service to "hide" the # from the html e.g. https://goo.gl/
Looks like you need percent encoding!
A lot of times when your href gets parsed (by angular in this case) it doesn't handle the special characters right, or strips them. Find your problem characters and replace them with %3F for ?, %26 for &, and %23 for #. The rest are in a chart in the link.
Once the encoded address hits the browser the url will be decoded in your url bar.

Getting $http.put() to send correctly formatted data, instead of JSON object

So, I spent some time and built a quick API for a project that I'm doing for myself.
I used the Postman add-on for Chrome to mimic PUT and DELETE quests to make sure everything worked correctly. Really happy I did that, as I learned a lot about PHP's shortcomings with PUT and DELETE requests.
Using the API I've had working with Postman, I started moving everything over to AngularJs controllers and such.
I'm trying to get a user to claim a row in a database as the login information for the users is different than this particular information. I couldn't figure out why the put requests to claim the row in my database wasn't working. Lo and behold, the data being parsed from my parsestr(file_get_contents('php://input')) had 1 array key, which was a JSON string.
I've looked, and I can't seem to find a solid answer either through Stackoverflow or Google (maybe I missed it somewhere in the config options), So my question is this: is there any way I can get the $http.put call send the data to the server correctly?
Thanks to user Chandermani for pointing me to the link at this URL which answered the base of my question.
From the above link, I found myself on This Blog post submitted by another user. In the end, what I ended up doing was the following:
taking param() function from the above link, as well as implementing these lines of code:
var app = angular.module('ucpData', [] , function($httpProvider){
$httpProvider.defaults.transformRequest = [function(data) {
return angular.isObject(data) && String(data) !== '[object File]' ? param(data) : data;
}];
});
Is how I worked around the problem. For some developers, you may actually want to keep the default transformRequest settings, but for the project I am doing I know that I will end up forgetting to call param() at some point, and my server doesn't naturally accept json data anyway. I would caution future developers to consider what they are attempting to do before they alter the transformRequest array directly.

Controller fails if passed parm is "sys"

I am using a form in my index view to "GET" a query string for filtering my table. I end up with a URL like this, "/teams?company=sun".
This one works OK I use "$this->request->query('company');" to get the value. But if I change the parameter value to "sys" (e.g. company=sys) then I get a "404 - File or directory not found" error. I presume sys or system is a reserved word which is causing a problem somewhere.
Is this a bug or is it behaviour that I could catch and override?
IIS was doing SQLInjection attack prevention. I deleted the "SQLInjection" Rule from Request Filtering and it is working now.

ZK - running on google app engine gives a timeout

I have a test page with a list of 100 items.
When I scroll the list down every time this timeout error pops up.
Is there a fix for this in ZK?
There is nothing else special just a list with 100 test rows.
I'll make an educated guess that this is because you're storing some state (maybe "what page is this user on") in memory and expecting it to be around on the next request. In App Engine, it won't be. There are at least 3 ways around this:
Use memcache
If the data's important, put it in the datastore
If the data's small and non-confidential, send it down to the client and have the client send it back to the server on the next request. In this case, that seems like the correct solution.
UPDATE:
On zk docs it says to use:
<zk>
<!-- clustering environment -->
<system-config>
<disable-event-thread/>
<ui-factory-class>org.zkoss.zk.ui.http.SerializableUiFactory</ui-factory-class>
</system-config>
<!-- GAE doesn't allow user's thread -->
<client-config>
<resend-delay>-1</resend-delay>
</client-config>
</zk>
But when I comment this line out:
<disable-event-thread/>
The error goes away!

DotNetNuke Event Logging format

Using DotNetNuke 5.
I am using the EventLogController along with LogInfo to add custom messages to the event logs in dot net nuke.
Within LogInfo we have a method to Add a Property/Value. I am under the assumption that the Controller.AddLog(logInfo) converts the properties & vlaues into XML using the LogInfo->Serialize method for DNN to store it.
My problem is that I want linebreaks in my message. Is there anyway I can add a newline. "\r\n" wouldn't work, wouldn't work, CDATA escaped wouldn't work. Everything gets escaped through the Log function.
How do I pretty print the log message myself?
Regards, V
Sadly, due to the HTML encoding that is done on all messages, you are going to be out of luck trying to do this in the DNN event Log.
Depending on what/where you are, you have a few options.
You can add them as individual detail lines using properties, see my example below.
You could report on something yourself, using a custom log table or something similar
If you are in the context of a Scheduled Job, you can log to that history, which is NOT escaped.
Examples
Log Properties
objLog = new DotNetNuke.Services.Log.EventLog.LogInfo();
objLog.AddProperty("SecureMyInstall", "Phase 2 Error Processing User Accounts");
objLog.LogTypeKey = DotNetNuke.Services.Log.EventLog.EventLogController.EventLogType.HOST_ALERT.ToString();
objLogger.AddLog(objLog);
The content of the logs is displayed as HTML, so you should be able to put <br /> to add line breaks.

Resources