Infinite Loop

Catch hackers red handed using http modules

      Here is a nice trick to help you to detect hackers in action while trying to hack your web applications. The idea is very simple, we want to set a layer there between your application and the internet to watch the web traffic for anything suspicious. These suspicious things might be a query string that contains a XSS script or a SQL injection query. So we will monitor the web traffic that is passing through that layer for well known and common patterns of attack methods that most hackers use to scan your web applications for vulnerabilities. We will use http modules to implement that layer, here is some dirty code to demonstrate the idea.

using System;

using System.Data;

using System.Configuration;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.Collections.Generic;

/// <summary>

/// Summary description for ICanSeeYouHttpModule

/// </summary>

public class ICanSeeYouHttpModule : IHttpModule

{

    private List<string> suspicious = new List<string>();

      public ICanSeeYouHttpModule()

      {

        //we fill our suspicious list with every string or character

        //we find it not normal to use in our application web requests

        suspicious.Add("select"); //for sql injection

        suspicious.Add("update");

        suspicious.Add("insert");

        suspicious.Add("delete");

        suspicious.Add("drop");

        suspicious.Add("<script"); //for xss

        suspicious.Add("'"); //for sql injection too

        suspicious.Add(";"); //might be used in both xss java scripts or sql injections

        //use your imagination for the rest :)

      }

    public String ModuleName

    {

        get { return "ICanSeeYouHttpModule"; }

    }

    public void Init(HttpApplication application)

    {

        application.BeginRequest += new EventHandler(application_BeginRequest);

    }

    void application_BeginRequest(object sender, EventArgs e)

    {

        HttpApplication application = (HttpApplication)sender;

        HttpContext context = application.Context;

        if (!Check(context.Request.RawUrl))

        {

            LogAndAlertTheAdmin(context.Request);

            //you can also put some intimidating message here ;)

            context.Response.Write("i can see u");

            //or you can fake a decoy error message to

            //let the attacker continue his scan while

            //not aware that you already know about it,

            //so you can know more about her/him and

            //her/his attack techniques

        }

    }

    private bool Check(string url)

    {

        //we will check our url for the suspicious stuff

        foreach (string keyword in suspicious)

            if (url.ToLower().Contains(keyword))

                return false;

        return true;

    }

    private void LogAndAlertTheAdmin(HttpRequest request)

    {

        //fill here your favorite logging method

        //you can use any available info about

        //the attacker in the request object

    }

    public void Dispose()

    {

    }

}

Ofcourse the previous code is just for demonostration sake and not intended to be perfect, to use this http module for your web application all what you have to do is to add this in your configuration file under <system.web>

  <httpModules>

      <add name="ICanSeeYouHttpModule" type="ICanSeeYouHttpModule"/>

  </httpModules>

Enjoy ;)