You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
SSL just isn't good enough anymore.
The more informed one is, the more secure they can make their website. If one realizes the numerous ways a hacker can gain entry into a server, they'd be amazed. The number of ways to gain unauthorized entry is always changing and increasing as technology progresses. A merchant with this information can better combat these nuisances and potentially dangerous entries.
The simple benign example I gave above on how to inject code into the CCP5 search form (and other text entries) is just the beginning to demonstrate to you that it's possible. Hackers know that they can't do much damage with JavaScript. However, they know that . And when they do, they promote your site to their hacker friends around the world.
There are numerous forums and blogs that discuss injection attacks. Here are some.
http://www.owasp.org/index.php/Main_Page
http://en.wikipedia.org/wiki/Cross-site_scripting
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/SQL_injection
This one explains why you should filter out the single quote.
http://www.securiteam.com/securityrevie … 1P76E.html
Just peruse the Net and find many discussions on these attacks. Then do something to keep your website secure.
Isaac Asimov (1920 - 1992)
Last edited by Blitzen (12-30-2008 13:04:33)
Offline
Some very useful information there, thank you. Although I'm still not convinced the stock form of CCP5 is actually vulnerable to any of those methods... I certainly couldn't make them work. In any case, if you want to really lock it down, the CGI wrapper technique used by the official Kryptronic update looks much more secure to me and will still allow use of punctuation in your customer data.
Offline
I always like to keep a couple of things in mind when dealing with security.
If it's connected to the internet it WILL be attacked. Know it, plan for it and be prepared to deal with it.
There is no such thing as hacker proof.
Offline
rachaelseven wrote:
I would like to point out that Kryptronic did release an official update that addressed this issue. It would appear to be more secure than the method discussed here and is the preferred method.
Unfortunately, there were problems with the update and the last entry (#16) suggested to purchase v.6. "Kryptronic released ClickCartPro 6 in January 2007 which uses totally new code to combat cross-site-scripting. That release is not vulnerable and can be upgraded to from ClickCartPro 5.1."
As indicated above, the fix here passed the PCI test and I'll keep it because I have no reason to upgrade. The patches described here will work just dandy.
Last edited by Blitzen (12-30-2008 16:34:28)
Offline
That update did have an issue with the # character appearing as HTML entity code in emails, but that was the only reported problem after the final release of the update, as best I recall. Considering that this approach completely disallows a whole bunch of punctuation characters, an ugly # character in emails would seem to be a comparatively minor issue and a far better compromise. In addition, the CGI wrapper approach used in the official update has the advantage of protecting every variable, including things like hidden form fields, which are still entirely vulnerable with this approach. This approach does seem to get us past the automated PCI inspections, but let there be no doubt that the mod I've posted here leaves a LOT of security holes and the official update is MUCH more secure in terms of actually stopping hacking attempts, SQL injection and XSS attacks.
Offline
The issue with this post was securing the form input, not cookies and not URLs, not servers. I'm certain my security scan tested cookies and URLs and found nothing critical in my CCP5 website.
I filtered out all characters recommended by OWASP and my site passed. I applied it to only where a third party enters input, not everywhere. Admin is secured and all those inputs don't need filtering (PCI compliance understands that there is some base level of trust in your employees and server technicians.). Ditto for the software itself, not absolutely everything needs filtering for a well-written program, which CCP strives to accomplish. CCP5 has taken care of many attacks that were omitted by other software that we've reviewed.
Rachel chose to omit some recommended characters, and her mod as presented does pose some sort of risk. Consult the experts who study this (e.g., OWASP, http://www.cert.org/cert/information/developers.html, http://httpd.apache.org/info/css-security/) for their recommendations on what and how to filter user input.
As Dave pointed out, all sites are hackable. The Department of Defense, Yahoo!, banks and other big companies have been hacked. That's why security scans are routine. Next time, there may something new to discuss and maybe one day, using the ASCII equivalent won't work anymore. Thus, I chose to remove the characters all together instead of replacing with the ASCII equivalent.
Now, take on the day! I'm out of here getting ready for a profitable new year!
HAPPY NEW YEAR!
Last edited by Blitzen (12-30-2008 18:20:03)
Offline