Archive for October, 2009

Define – SQL Injection And Javascript Injections

What is it ?

Malicious code or javascripts are embedded into database table. This table has the feasibility to pull out all the use ful inputs of the ens user and then missue it.
Sample – When innocent user visit(s) URL which has been programmed to take data from that particular table, then the same malicious code JavaScript is executed in user browser by which enables the hacker to redirect the site to hackers homepage. This facility can even capture sensitive information – Like Credit Card, DOB and so on.

How does it occur?

A Programmer writes code to take input from User and store in the database and display in next page. While taking inputs it is required to put proper validation before submitting into database. If the validation is not in place then a java script could be changed with the input(s) which can be inserted into to table of database and further misused.

For example:

Enter your name: Ritesh Kumar

Display in browser-:

Your name is: Ritesh Kumar

The programmer must validate input so that only Alphabets with space is allowed while inputting name. ; , < ,> ,/ ,\  etc [ refer input validation document] char should allow in name field

Assuming the bad programmer did not check the validation and the end user enters following while input data

Enter your name: Ritesh Kumar;<srcipt>You site is hacked</script>

Display in browser-:

Your name is: Ritesh Kumar with JavaScript  pop ups  [ You site is hacked ]

The hacker, thanks to the mal code from the Programmer shall be able to easily insert any JavaScript which would further pull out all the details he wants – by using JavaScript.

How to prevent it ?

This incidence occurs due to improper input validation. Programmer MUST review all its validations properly and should not allow any special char into databases.

Net4India provides  a service called http://net4secure.com which help your programmer to identify all such vulnerabilities inside the site.

Any direct insertion to database is prone to SQL injection so All direct SQL should be converted to Stored Procedure.

Server Side: Nothing much could be done in server side. It is suggested to use Mod_security for Apache and Microsoft URL scanner for IIS . These could detect and block the pages. The disadvantage is it may block genuine page also.

Further Reading: http://msdn.microsoft.com/en-us/library/ms161953.aspx

Tags: , ,

Net4India BizmailPlus and SMTP AUTH with Outlook Setup

Outlook Express Configuration

Step 1: First configure your email account in Outlook Express.

Step 2: Set the POP 3 and SMTP server Details as given below

Step 3: POP3: pop.yourdomain.com

SMTP: smtpauth.yourdomain.com

Enter emailID and Password

Step 4: Enter the User Name and Password for Outgoing mail or Select the check box to use the same User Name and Password for outgoing mail server.

Step 5: Click OK Button

Microsoft Outlook Express

Step 1: First configure your email account in Microsoft Outlook Express.

Step 2: Select “View or change existing email account” and click “Next” Button.

Step 3: Change the settings of existing Email account.

Step 4: Configure your email account as shown below

POP3: pop.yourdomain.com

SMTP: smtpauth.yourdomain.com

Enter User Name and Password

Step 5: Click on “More Setting” button to enter the details for Outgoing Server

Step 6: Enter the details as shown below.

Step 7: Enter the User Name and Password for Outgoing mail or Select the check box to use the same User Name and Password for outgoing mail server.

Step 8: Click “Ok” button to finish the configuration.

Tags: , ,

I am receiving spam mails from my own email id ? Is there any security laps ?

The error as mentioned by you is known as Email Spoofing. The current email protocol system lacks such protection. The majority of communication could be spoofed as it is very difficult to verify who is there on the other end, who is sending the mail and his authenticity.

On Internet while receiving mails, smtp protocol does not verify the sender for its validity expect valid IP and domain. The Reason – It is difficult to know who is going to send you a mail next and from where.
You may be expecting a mail from any where in the world connected via internet on your mail id account.

Please be notified that some Spammer may induce virus use via this technique and send spam mail by putting sender as same as recipient to gain trust with antispam and to by pass the filter as Antispam server and whitelist your domain.

http://www.cert.org/tech_tips/email_spoofing.html

What are the measures to STOP this ?

1. Identifying and taking Legal action:

By checking the Mail Header we will able to know the originator IP address and we can inform IP owner to stop such activity. (May be – server is infected with virus).

2. Remove white list of owndomain.

Most of the mail server configured not to check mails for spam from own domain to Reduce false positive and reduce antispam load.

3. SPF

This define only allow mails of OWN domain from specific IP address. but putting this rule you need to declare all IP address that you would be using as Outgoing. Main drawback incase of MAIL FORWARDING. ie.

If any user forwarded mail from hotmail/yahoo/gmail to your server then all these mails shall also get reject by as per this policy. Another disadvantage is if SPF query fails then it leads to risk of a bounce back of their mail(s) which is not acceptable to any user.

4. Domain Key/DMKI

DomainKeys Identified Mail (DKIM) is a domain-level Authentication framework for email using public-key cryptography and key server technology to permit verification of the source and contents of messages at STMP level. This framework permits a signing domain to assert responsibility for a message, thus protects the message signer identity and the integrity of the messages that they convey while retaining the functionality of Internet email as it is known today.

Protection of email identity may assist in the global control of “spam” and “phishing” and spoofing.

There by as such there is no standard protocol defined whereby we could stop spoofing and retain the functionality of Internet email as it is known today. Domain key looks very handy but is not that useful until all service provider implement(s) the same worldwide.