Life is like Code, you never know what you will create next

Can ASP.NET be hacked?

13. March 2008 21:00 by Scott in   //  Tags:   //   Comments (4)

I just  viewed a video today CNN put out, which has Chinese hackers being interviewed.  Let me know if this is old news, but the hackers are from an island off of China.  The hackers own a couple of hacking sites as seen in the video on CNN.  The links are hard to find but are noticeable with the video supplied if you look close.  The sites are and noticeable through the screen shots taken by the dark visitor.

hack4  xiaochen4
The two sites here are shown in links of the video.

These sites proclaim they have close to 10,000 members and over 50,000 page loads a day. While the members of this community claim to have hacked into the pentagon and other various organizations throughout the world.  The US government states that hackers have come from China and are paid for by the Chinese government.  Though China does ask the US to prove the allegations, but they know due to the top secret content produced at the pentagon, China will never be supplied with proof.

Hackers use such approaches as XSS, SQL Injection, Google Hacking, Security Engineering and Microsoft Live Search Hacking(Live Search hacking is dead).  The question is, can ASP.NET be hacked.  Yes without a doubt.

XSS - Cross Site Scripting - Used when you have ID's in your URL such as  The ID ShowNum can be modified to be and we will create an Error on their site.  If they didn't have custom errors on remote only, well we would then be able to dive into their code and play around with the ID number.  Other XSS strategies are to inject JavaScript into the site by using some techniques listed here.  The Prevention of this kind of an attack would be to store your id's in sessions and hidden fields. Disclaimer: I only pointed this site out because I have played with this sites ID numbers before.  I pointed it out to them, but they still decided not to change it.  Lets hope they read this blog some day.

SQL Injection - These attacks work when user input is used to create a SQL statement in the code behind file.  Lets say we have a query:

   1:  select * from customers where customerID = 'sdfa'

The vulnerable query would be

   1:  select * from customers where customerID = 'asdf'
   2:  union 
   3:  SELECT table 

This kind of injection happens in a user entered textbox or field which is then used to complete some kind of SQL Statement.  So lets say I was filling out a form that had the customer ID number on it.  I would inject the SQL by writing

   1:  ' union 
   2:  SELECT table 

This kind of injection works and could even be used to delete entire tables of information.  But why delete the User table and credit card numbers when you can gain access to the and get them to be displayed and copied. To Prevent this kind of attack, you will need to start using Stored Procedures, OR a new way of querying databases using LINQ.  LINQ is Microsoft's new technology and looks to be the end all be all of Stored procedures which makes the headaches and problems with coding allot easier to manage.

Microsoft does have preventive measures put in place for this kind of attack, but you have to be sure to use them. Stored procedures in SQL Server are one and the other is Request validation used in applications.

I hoped you enjoyed the information supplied to you.  I had a good time writing it with a bit of research that had to be done. Thanks for visiting.

Scott Pio

kick it on

Comments (4) -

Chris Pietschmann
Chris Pietschmann
3/14/2008 9:51:04 AM #

This isn't really an article about how ASP.NET can be hacked. You are just describing different ways that websites in general can be hacked; this article has nothing to specifically do with ASP.NET.

It is good for devs to know this stuff though.

3/14/2008 4:56:07 PM #

This is not about

JS injection - impossible because by default ASP.NET blocks such requests.

SQL injection - possible only if you a piece of shit and append strings without any escaping inside your code.

URL parameters - nothing, always no debug on server and custom error pages on.

3/14/2008 5:40:19 PM #

I wasn't trying to point out how ASP.NET can be hacked, just asking the question of could it and giving the possible ways it could. I will be writing more detailed information on how later in the blog.

8/30/2010 7:17:23 AM #

its a shit method not posibile in ....

Pingbacks and trackbacks (1)+