Welcome to BARMAGY Sign in | Join | Help

Catch hackers red handed using http modules

      Here is a nice trick to help you to detect hackers in action while trying to hack your web applications. The idea is very simple, we want to set a layer there between your application and the internet to watch the web traffic for anything suspicious. These suspicious things might be a query string that contains a XSS script or a SQL injection query. So we will monitor the web traffic that is passing through that layer for well known and common patterns of attack methods that most hackers use to scan your web applications for vulnerabilities. We will use http modules to implement that layer, here is some dirty code to demonstrate the idea.

using System;

using System.Data;

using System.Configuration;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.Collections.Generic;

 

/// <summary>

/// Summary description for ICanSeeYouHttpModule

/// </summary>

public class ICanSeeYouHttpModule : IHttpModule

{

    private List<string> suspicious = new List<string>();

      public ICanSeeYouHttpModule()

      {

        //we fill our suspicious list with every string or character

        //we find it not normal to use in our application web requests

        suspicious.Add("select"); //for sql injection

        suspicious.Add("update");

        suspicious.Add("insert");

        suspicious.Add("delete");

        suspicious.Add("drop");

        suspicious.Add("<script"); //for xss

        suspicious.Add("'"); //for sql injection too

        suspicious.Add(";"); //might be used in both xss java scripts or sql injections

        //use your imagination for the rest :)

      }

    public String ModuleName

    {

        get { return "ICanSeeYouHttpModule"; }

    }

    public void Init(HttpApplication application)

    {

        application.BeginRequest += new EventHandler(application_BeginRequest);

    }

 

    void application_BeginRequest(object sender, EventArgs e)

    {

        HttpApplication application = (HttpApplication)sender;

        HttpContext context = application.Context;

        if (!Check(context.Request.RawUrl))

        {

            LogAndAlertTheAdmin(context.Request);

            //you can also put some intimidating message here ;)

            context.Response.Write("i can see u");

            //or you can fake a decoy error message to

            //let the attacker continue his scan while

            //not aware that you already know about it,

            //so you can know more about her/him and

            //her/his attack techniques

        }

    }

    private bool Check(string url)

    {

        //we will check our url for the suspicious stuff

        foreach (string keyword in suspicious)

            if (url.ToLower().Contains(keyword))

                return false;

        return true;

    }

    private void LogAndAlertTheAdmin(HttpRequest request)

    {

        //fill here your favorite logging method

        //you can use any available info about

        //the attacker in the request object

    }

    public void Dispose()

    {

    }

 

}

 

Ofcourse the previous code is just for demonostration sake and not intended to be perfect, to use this http module for your web application all what you have to do is to add this in your configuration file under <system.web>

 

  <httpModules>

      <add name="ICanSeeYouHttpModule" type="ICanSeeYouHttpModule"/>

  </httpModules>

 

Enjoy ;)

 

kick it on DotNetKicks.com
Published Monday, December 17, 2007 12:18 AM by Fady

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Catch hackers red handed using http modules

You've been kicked (a good thing) - Trackback from DotNetKicks.com
Monday, December 17, 2007 12:23 AM by DotNetKicks.com

# re: Catch hackers red handed using http modules

gr8 job Fady, could I use it in my applications ??
Monday, December 17, 2007 1:01 AM by Hany Galal

# re: Catch hackers red handed using http modules

sure man, i would be flattered
thats why i published the idea her in the 1st place, so ppl know it and use it
Monday, December 17, 2007 1:05 AM by Fady

# re: Catch hackers red handed using http modules

that's is great, you just put a gate keeper :D

I call IHttpModule gate control, you are free to do what ever you want to do,

I saw sample from MSDN talking about Session Hijacking and how did solve it same way you did

Great work
Monday, December 31, 2007 8:48 PM by Ahmed Essam

# re: Catch hackers red handed using http modules

that's is great, you just put a gate keeper :D

I call IHttpModule gate control, you are free to do what ever you want to do,

I saw sample from MSDN talking about Session Hijacking and how did solve it same way you did

Great work
Monday, December 31, 2007 8:48 PM by Ahmed Essam

# re: Catch hackers red handed using http modules

very nice
Wednesday, January 02, 2008 3:51 PM by Amir Magdy

# re: Catch hackers red handed using http modules

@Ahmed
Thanks man, it's exactly what u call it, a gate keeper :D
@Amir
Thanks man for passing by and commenting, i hope you enjoyed the article
Wednesday, January 02, 2008 7:13 PM by Fady

# samanta

bGyGv3 http://fh6whUq3NnsPfj8g3vr0gQO4Yyzf.com
Monday, April 12, 2010 4:00 AM by samanta

# Cmshoxdl

this post is fantastic <a href=" https://www.stanford.edu/group/smsa/cgi-bin/public/forum/viewtopic.php?id=307 ">great lolita bbs</a>  jhdlsg
Monday, June 14, 2010 7:49 PM by Cmshoxdl

# megalolita

*** lolita https://www.stanford.edu/group/smsa/cgi-bin/public/forum/viewtopic.php?id=307 lolita bbs
Monday, June 14, 2010 9:09 PM by megalolita

# superlolita

*** Lolitas Nude HERE!>>
Monday, June 14, 2010 10:32 PM by superlolita

# superlolita

*** Lolitas Nude HERE!>>
Monday, June 14, 2010 10:33 PM by superlolita

# mark

Best Lolitas BBS here >>
http://premedforum.stanford.edu/viewtopic.php?p=462
Wednesday, June 16, 2010 7:38 PM by mark

# dobson

Best *** lolitas portal
Wednesday, June 16, 2010 8:57 PM by dobson

# Pulpmwnd

Best Site good looking <a href=" http://premedforum.stanford.edu/viewtopic.php?p=462 ">lolita incest</a>  uoztl
Wednesday, June 16, 2010 10:16 PM by Pulpmwnd

# Akvupcft

Hello good day <a href=" http://students.washington.edu/pnpga/forum/profile.php?id=231 ">young lolitas</a>  auy
Wednesday, June 16, 2010 11:38 PM by Akvupcft

# sandra

Best top 100 lolita toplist
Thursday, June 17, 2010 12:56 AM by sandra

# sosa

*** lolita models tgp  http://students.washington.edu/pnpga/forum/profile.php?id=231   Here!>>
Thursday, June 17, 2010 2:14 AM by sosa

# sandra

Lolita bbs http://rhodes.uthsc.edu/bin/view/Main/JoseffSmithz welcome
Saturday, June 19, 2010 10:24 AM by sandra

# merlo

*** lolita models
Saturday, June 19, 2010 11:43 AM by merlo

# Dlceufyu

Punk not dead  
Friday, July 02, 2010 10:10 AM by Dlceufyu

# Dlceufyu

Punk not dead  
Friday, July 02, 2010 10:10 AM by Dlceufyu

# Kwghqqku

I'm happy very good site
Friday, July 02, 2010 10:10 AM by Kwghqqku

# Iwoqgpmn

Very Good Site
Friday, July 02, 2010 10:10 AM by Iwoqgpmn

# Nllotypl

this is be cool 8)
Friday, July 02, 2010 10:10 AM by Nllotypl

# Ihvagyhw

i'm fine good work
Friday, July 02, 2010 10:10 AM by Ihvagyhw

# Ccbwpyrf

very best job
Friday, July 02, 2010 10:11 AM by Ccbwpyrf

# Ablpwnau

Wonderfull great site
Friday, July 02, 2010 10:11 AM by Ablpwnau

# Toafyzwv

This site is crazy :)
Friday, July 02, 2010 10:11 AM by Toafyzwv

# Btfumgxd

It's funny goodluck
Friday, July 02, 2010 10:11 AM by Btfumgxd

# Dikqazil

This site is crazy :)
Friday, July 02, 2010 10:11 AM by Dikqazil

# Jgeugtlv

this is be cool 8)
Saturday, July 03, 2010 9:31 AM by Jgeugtlv

# Qmuyzweq

I love this site
Saturday, July 03, 2010 9:31 AM by Qmuyzweq

# Zrnddkys

real beauty page
Saturday, July 03, 2010 9:31 AM by Zrnddkys

# Atpeatvm

I love this site <a href=" http://www.asianave.com/gulafuapik732 ">little girls *** farm animals</a>  8-O <a href=" http://www.asianave.com/aepykucoquk992 ">adult animal movies</a>  qiit
Saturday, July 03, 2010 11:11 AM by Atpeatvm

# Good info

Hello! beecfek interesting beecfek site!
Wednesday, August 04, 2010 6:06 AM by Pharmf937

# web catalogue registering

When you need to populate  web site, you can get many offers from everywhere, but you have to know, that  exists seo tool, that automatically and thoroughly  submit mass posting on forums and blogs it's [url=http://web-promotion-services.net]professional [b]SEO[/b] and web promotion[/url]!
Is it not a dream? and how to try it? come to web-promotion-sevices.net
Sunday, August 15, 2010 10:04 AM by Seotoolkits

# I tried this program and can say it works...

I just tried this program and would say that it really works as promised. I got the purchase and sell [url=http://smartforexsignal.com]forex trading signals[/url] that are appropriate to my invest needs. I could be anywhere close a PC, log in quickly to check the signals. To start it  was really simple - i didn't need much money to become and just after a few days I fulfilled a few great transactions.
Tuesday, August 24, 2010 12:07 PM by fishkaforex

# Раскрутка сайтов и вирусный маркетинг и прочая хрень о поисковом продвижении на barmagy.com

[url=http://auslander.ru]Поисковое продвижение по любым ключевым словам за 9999 руб[/url]? - ТАКОГО НЕ БЫВАЕТ! готовы взять таких на субподряд :)  Естественно, если вас интересует ключевой запрос "выращивание птеродактилей в неволе" - то, вы всегда можете расчитывать на то что написано выше. А если вас интересует конкурентная тематика - то на таких условиях вам нужно искать [url=http://auslander.ru]SEO[/url] альтруистов ;) Однозначно...
Wednesday, August 25, 2010 8:32 PM by promodiva

# Good info

Hello! cacddee interesting cacddee site!
Saturday, August 28, 2010 7:10 AM by Pharmk598

What do you think?

(required) 
required 
(required)