I just viewed a video today CNN put out, which has Chinese hackers being interviewed. Let me know if this is old news, but the hackers are from an island off of China. The hackers own a couple of hacking sites as seen in the video on CNN. The links are hard to find but are noticeable with the video supplied if you look close. The sites are www.hack4.com and www.hackbase.com noticeable through the screen shots taken by the dark visitor.
The two sites here are shown in links of the video.
These sites proclaim they have close to 10,000 members and over 50,000 page loads a day. While the members of this community claim to have hacked into the pentagon and other various organizations throughout the world. The US government states that hackers have come from China and are paid for by the Chinese government. Though China does ask the US to prove the allegations, but they know due to the top secret content produced at the pentagon, China will never be supplied with proof.
Hackers use such approaches as XSS, SQL Injection, Google Hacking, Security Engineering and Microsoft Live Search Hacking(Live Search hacking is dead). The question is, can ASP.NET be hacked. Yes without a doubt.
SQL Injection - These attacks work when user input is used to create a SQL statement in the code behind file. Lets say we have a query:
1: select * from customers where customerID = 'sdfa'
The vulnerable query would be
1: select * from customers where customerID = 'asdf'
3: SELECT table
4: FROM INFORMATION_SCHEMA.TABLES --'
This kind of injection happens in a user entered textbox or field which is then used to complete some kind of SQL Statement. So lets say I was filling out a form that had the customer ID number on it. I would inject the SQL by writing
1: ' union
2: SELECT table
3: FROM INFORMATION_SCHEMA.TABLES --
This kind of injection works and could even be used to delete entire tables of information. But why delete the User table and credit card numbers when you can gain access to the and get them to be displayed and copied. To Prevent this kind of attack, you will need to start using Stored Procedures, OR a new way of querying databases using LINQ. LINQ is Microsoft's new technology and looks to be the end all be all of Stored procedures which makes the headaches and problems with coding allot easier to manage.
Microsoft does have preventive measures put in place for this kind of attack, but you have to be sure to use them. Stored procedures in SQL Server are one and the other is Request validation used in ASP.net applications.
I hoped you enjoyed the information supplied to you. I had a good time writing it with a bit of research that had to be done. Thanks for visiting.