How to not do websites
Hello. Now I will tell and show about vulnerabilities on one web resource. And what's the big deal about this, you say, there are many such sites on the Internet. Yes, this would not be anything special if it were not the site of a state institution.
Walking through the regional forum, I found a topic where there was a link to this resource. For fun, I went and decided to look around. The first thing that caught my eye was links like http: //********************.aspx? Id = xxx. Apparently id determines what to show. Without hesitation, we add letters and miracles to the numbers ...
On the front pages of any book about developing web applications they write about such errors and how to avoid them.
The site has all sorts of documents. I wonder where they are stored? I would call the files folder, quite logical. Well, we enter the desired address, and ...
Yes, the assumption is true, it is obvious that this folder is writable. It remains to find how these files get there. All this also lies on the surface, but I will not deliberately describe how the shell script was flooded, I will just say that this is possible. Go ahead and see the form to ask a question to the minister. First of all, we enter incorrect data, and ...
Many interesting things sometimes show the call stack. We find the mail in the contacts, and check the guess. The guess is true.
I do not read someone else's mail, and here I will do the same. But, in the folders you can see the interesting name “MinFin”. Here comes the mail from the regional Ministry of Finance, basically they send updates to various programs, but I know from experience that they can sometimes send passwords and turnout messages. Yes, an interesting specimen, the quintessence of how you never need to do.
The conclusions suggest themselves.
For developers:
For administrators:
It is very disappointing that when creating websites in the public sector, they act in this way, hiring unqualified programmers. It’s bad that there is no single platform for the public sector that allows you to create web resources quickly and safely. Bad that you can not even select a normal e-mail. It is possible that this is a regional example, everything is much better around. It becomes scary from such websites, it’s good that it was the regional ministry of culture, and with such an approach there can be more serious sites from which you can “merge” more valuable information. I hope that now this regional ministry of culture will also learn about the "culture" of programming.
PS Addresses are deliberately removed, the region is not called, but I am sure that an experienced reader will find everything.
UPD. Thanks to himik for attentiveness.
UPD. Thank you and Keyten for your attentiveness.
Walking through the regional forum, I found a topic where there was a link to this resource. For fun, I went and decided to look around. The first thing that caught my eye was links like http: //********************.aspx? Id = xxx. Apparently id determines what to show. Without hesitation, we add letters and miracles to the numbers ...
On the front pages of any book about developing web applications they write about such errors and how to avoid them.
The site has all sorts of documents. I wonder where they are stored? I would call the files folder, quite logical. Well, we enter the desired address, and ...
Yes, the assumption is true, it is obvious that this folder is writable. It remains to find how these files get there. All this also lies on the surface, but I will not deliberately describe how the shell script was flooded, I will just say that this is possible. Go ahead and see the form to ask a question to the minister. First of all, we enter incorrect data, and ...
Many interesting things sometimes show the call stack. We find the mail in the contacts, and check the guess. The guess is true.
I do not read someone else's mail, and here I will do the same. But, in the folders you can see the interesting name “MinFin”. Here comes the mail from the regional Ministry of Finance, basically they send updates to various programs, but I know from experience that they can sometimes send passwords and turnout messages. Yes, an interesting specimen, the quintessence of how you never need to do.
The conclusions suggest themselves.
For developers:
- Read books. Before you had a lot of good programmers who have already gone through many mistakes, wrote books to share their experience. Do not repeat the mistakes of others.
- Always check the data submitted from the browser. Set variables in the request through parameters, in a secure way.
- Use try ... catch blocks. An error may always occur, and the call stack will contain a lot of interesting things. Wrap unsafe code, and handle errors.
- Do not store passwords in code ever. The password can and should be changed, store the configuration in separate files, access to which is closed from the outside.
- Do not develop spherical sites, remember that around is full of inquisitive minds. Check everything for correctness, do not enter the obviously correct data.
For administrators:
- Read the documentation for the products you use.
- Do not give permissions "everyone is allowed everything." In this example, this rule allowed free walking on server directories.
- Always pay security time.
- One box for the “ministry” is stern. Register a domain and link mail to it, it is not expensive, the budget of any government institution can allow it.
- Make it a rule to change the password once a month.
It is very disappointing that when creating websites in the public sector, they act in this way, hiring unqualified programmers. It’s bad that there is no single platform for the public sector that allows you to create web resources quickly and safely. Bad that you can not even select a normal e-mail. It is possible that this is a regional example, everything is much better around. It becomes scary from such websites, it’s good that it was the regional ministry of culture, and with such an approach there can be more serious sites from which you can “merge” more valuable information. I hope that now this regional ministry of culture will also learn about the "culture" of programming.
PS Addresses are deliberately removed, the region is not called, but I am sure that an experienced reader will find everything.
UPD. Thanks to himik for attentiveness.
UPD. Thank you and Keyten for your attentiveness.
')
Source: https://habr.com/ru/post/144776/
All Articles