March 22, 2013

Being attacked – What's that?

Question by Ariel

Seems like my website is being attacked.
I looked at the Apache logs and I saw thousands of lines like these;
Some random folders which don’t even exist. Looks like some brute force for websites…
Any ideas on what it is?

84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/console HTTP/1.1" 404 211
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /account/Admin/config.php HTTP/1.1" 404 222
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/ini HTTP/1.1" 404 208
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/wp-includes HTTP/1.1" 404 213
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/test.php" 200 58
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/readme.txt HTTP/1.1" 404 215
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/logs//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini HTTP/1.1" 404 269
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /jscripts/tiny_mce HTTP/1.1" 404 215
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/addons HTTP/1.1" 404 210
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "POST /account/logs/logs_process.php?adm=1&JsygZ81Q=1 HTTP/1.1" 302 23349
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/iishelp HTTP/1.1" 404 209
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/_include HTTP/1.1" 404 213
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /account/Admin/config.inc.php HTTP/1.1" 404 226
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/test.php%2f HTTP/1.1" 404 217
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/README HTTP/1.1" 404 211
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/logs//%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1" 404 280
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "OPTIONS / HTTP/1.1" 200 3405
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/pass HTTP/1.1" 404 209
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /jscripts/tinymce HTTP/1.1" 404 214
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/invoker HTTP/1.1" 404 211
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/iisadmin HTTP/1.1" 404 210
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/test.php%5c HTTP/1.1" 404 217
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/config.php HTTP/1.1" 404 215
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/logs//%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/windows/win.ini HTTP/1.1" 404 285
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /account/Admin/localconfig.php HTTP/1.1" 404 227
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/tsweb HTTP/1.1" 404 207
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/cp HTTP/1.1" 404 206

Answer by Starx

Those are requests made on your domains to access resources. May and may not be related to threats.

But looking at it briefly, seems like vulnerability scanning to find loop holes in your application.

September 28, 2012

Difference between typing and pasteing in a field

Question by Ferenc Dajka

If I use xss, what’s the difference between typing in ALERT(‘DSSA’);, or just paste it to a search textfield? In a site, typing works, and makes the alert, but if I just paste it, than it doesn’t. To prevent the question, I don’t want to hack any site, I’m just interested in network security.

thanks for the answer

Answer by Starx

I may not have understood the question properly.

Typing triggers keyUp, keyDown and keyPress events on the element. If the codes are programmed to capture them only, then only those events will be captured.

Pasting can be done using keyboards, mouse and browser options. So this depends on which events you are listening too. There is a separate event called onpaste which will ease everything.

What I mean is, lets say my code is written to capture the pasting my pressing “Ctrl” + “v” only, but if mouse and browser options are used to paste on the
element, then it is configured to capture mouse events also, it cannot
be captured.

April 10, 2012

Is htmlspecialchars required if you are not outputting html?

Question by user1278496

I have a script that registers users based on their user input. This uses prepared statements plus whitelists to prevent sql injection. But I am struggling to understand the prevention of XSS.

From what I understand, you only need to prevent XSS if you are outputting HTML onto the page? What does this mean???

Im guessing that with this register page it doesn’t apply because I am not outputting HTML to the web page? Is that right?

If I was to prevent XSS, do I use htmlspecialchars?

Answer by JT Smith

Generally correct, if you are having any returned values show up on the page, or if you are inserting information into the database for later retrieval and display (like user profile information) you will want to use htmlspecialchars.

For me, when I do my user registration, if they fail to enter a correct value in an input field, I redisplay the page with the values they entered. In this case, I have it encoded with htmlspecialchars.

If at any point ever, you plan on redisplaying the information from the DB into a webpage (as mentioned with profiles and the like) you should use htmlspecialchars.

Better safe than sorry I always say – never trust user input

Answer by Starx

Basically, XSS happens when you are taking the user’s input un-sanitized and display in your webpage.

For example: A user inputs

<script>alert('hello you are hacked');</script>

In a text box, and you show this in your webpage after it is registered like

Hello, $username

This suddenly gets turned into

Hello, <script>alert('hello you are hacked');</script>

This is one of the form of XSS


One of a effiecient way to prevent XSS is like this

echo htmlspecialchars($varname, ENT_QUOTES, 'UTF-8');
...

Please fill the form - I will response as fast as I can!