ASP hack challange..
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=9430
Printed Date: 01 April 2026 at 1:00am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: ASP hack challange..
Posted By: jimidy
Subject: ASP hack challange..
Date Posted: 31 January 2004 at 10:08pm
|
I've made an admin part of my site secure.. was wondering if anyone was bored to see if they could hack my site and retrieve my password.. Obviously I don't expect you to give me the whole password for moral reasons (it could be anyones site!) But if you can get the password, Post the first 2 charcaters here, and also proposed solutions to making it more secure.. Thanks, and good luck white hats.. http://cms-stu-iis.gre.ac.uk/wn008/project/site/admin/ - http://cms-stu-iis.gre.ac.uk/wn008/project/site/admin/ ------------- www.srp.me.uk |
Replies:
Posted By: fernan82
Date Posted: 31 January 2004 at 10:59pm
|
Why don't you say where/how you're storing the password and we'll tell you if it's safe or not. If it's on a database server like MSSQL then it should be safe. If it's hardcoded on your source code or a file database then depending on the server setup somebody might be able to get it if it's a shared server. ------------- FeRnAN http://www.danasoft.com/"> 
|
Posted By: jimidy
Date Posted: 01 February 2004 at 6:21am
|
I felt if it was unsecure you would be able to tell me.. I'll leave it a couple of days, and if no one gets it tell you how the security is done to see if it can be broken then.. ------------- www.srp.me.uk |
Posted By: pmormr
Date Posted: 01 February 2004 at 5:42pm
|
you would probably want to write some type of script to limit the incorrect password to like 3 tries... i could write a script right now to go through all the possible passwords (a.k.a. brute force attack) ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: pmormr
Date Posted: 01 February 2004 at 5:48pm
|
otherwise you're admin screen's well secured... i can't download the processing file with a download manager, and i'm not getting a directory listing or ftp options ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: Necronom
Date Posted: 02 February 2004 at 10:25am
|
How does a DL man get around the restrictions of ASP. Are you saying that something like DAP can save the source ASP file? . necronom . |
Posted By: pmormr
Date Posted: 02 February 2004 at 6:03pm
|
a directory listing shows you all the files in the directory (i'll stop acting like you guies are two now...). Sometimes you can use other files that aren't asp to use as an indirect download source (hence, downloading the raw ASP file) ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: WebWiz-Bruce
Date Posted: 03 February 2004 at 3:47am
|
You might want to pass across somthing like the ASP session ID in a
hidden field and then check it matches before processing the password,
this would prevent a hacker using a password cracking tool from a
remote site. Having a username field as well will also help as the hackers would also need to crack the username field as well as the password. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |