Click here to Skip to main content
15,867,686 members
Articles / Web Development / ASP.NET
Article

Prevent attacks on your website

Rate me:
Please Sign up or sign in to vote.
3.21/5 (26 votes)
6 Jul 2005CPOL2 min read 80.6K   905   44   15
Using a simple example, I'll explain how to prevent a program that can register thousands of dummy users to your database and play with your database and application performance.

Introduction

There are many ways of attacking a website like SQL injection, by injecting script, Session hacking etc. And you'll get lot of articles at CodeProject about this. In this article, I am trying to explain the use of CAPTCHA (I am not going to explain what CAPTCHA is ... search it on CodeProject or Google if you have not implemented it.) to avoid registration of dummy users to your database by a computer program. Using a simple example, I'll explain how any program can register thousands of dummy users to your database and play with your database and application performance.

A sample application which can spoil your website:

Here we are going to create a Windows application and execute out a test. We'll use classic COM AxSHDocVw.AxWebBrowser control, along with MSHTML which provides Internet Explorer with complete HTML Document Object Model parsing.

In this example, we are using the following Windows ActiveX objects.

  • mshtml.tlb
  • SHDocVw.dll

You can find them in your “windows/system32” directory.

Steps we are going to perform:

  • Step 1 - Grab the registration page using the WebBrowser Control.
  • Step 2 - Using MSHTML we can locate various form fields of the registration page.
  • Step 3 - Generate random fields.
  • Step 4 - Submit the field values to the website for registration.

and we are going to repeat step 3 and 4 infinite times :)

Let us assume that a website is having a registration form with the following text fields.

  • UserId
  • First Name
  • Last Name
  • Password
  • Confirm Password

And a Submit button. Find the IDs of each field. Open the registration page in your normal browser and using View Source find the ID of each field.

Now let us go to the coding part of this application.

Load the registration page to the WebBrowser at the form load.

C#
private void Form1_Load(object sender, System.EventArgs e)
{
    //get the registrations page URL
    string url="http://localhost:8181/TestApplication1/Registration.aspx";

    Object o = null;

    //fetch the page to your web browser.
    WebBrowser1.Navigate(url, ref o, ref o, ref o, ref o);
}

Now execute the code to register infinite users.

C#
private void btnRegisterClick_Click(object sender, System.EventArgs e)
{
    // use the HTMLDocument interface of mshtml to simulate the registration process
    mshtml.HTMLDocument obj;
    string tempGuid,userId,firstName,LastName,password=string.Empty;
    //execute an infinite loop
    while(true)
    {
        try
        {
            //get the random values for this user
            tempGuid=System.Guid.NewGuid().ToString();
            userId=tempGuid.Substring(0,9);
            firstName=tempGuid.Substring(3,12);
            LastName=tempGuid.Substring(11,10);
            password=tempGuid.Substring(10,8);
            // assign the values to the form fields.
            obj=(mshtml.HTMLDocument)WebBrowser1.Document;
            obj.getElementById("txtUserId").innerText=userId;
            obj.getElementById("txtFirstName").innerText=firstName;
            obj.getElementById("txtLastName").innerText=LastName;
            obj.getElementById("txtPassword").innerText=password;
            obj.getElementById("txtConfirmPassword").innerText=password;

            // find the submit button to post the information to the website
            // execute the click of the submit button to post the information
            obj.getElementById("btnSubmit").click();
            // Note if you can't find the submit button
            // by id then use the following approach
            // find it by index in the entire HTMLDocument
            /*
               mshtml.HTMLInputElement objbut;
               objbut=(mshtml.HTMLInputElement)obj.all.item("submit",0);
               objbut.click();
            */
        }
        catch
        {
            // failed :(
            // no problem we'll try again( try try until the site die ..)
        }
    }

I think the code above is self explanatory.

Let’s come to the solution part

To avoid this type of attacks on our website we need to allow only human users for registration not a computer program. The best approach for this is to write distorted text on the fly to an image and let the registrant identify the text written on the image so that every human can read that text. It’s very hard to read a distorted text written on an image by a computer application as explained above.

Sample screenshot

A vulnerable registration form.

Sample screenshot

More secured registration form.

To know more about CAPTCHA, you can browse The CAPTCHA Project. And to implement CAPTCHA in your web application, you can take the help of various articles published at CodeProject about CAPTCHA.

Conclusion

By this article, I just want to show that we should consider such small things to avoid big disasters later.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Architect
India India
Its me Smile | :)

Comments and Discussions

 
GeneralWebBrowser Auto Confirm dialog Pin
SolitonAU20-Feb-09 2:10
SolitonAU20-Feb-09 2:10 
Hi Prakash,

By chance, do you know how to automatically click "Ok" button on javascript confirmation dialog using MSHTML.HTMLDocument?

I am using WebBrowser control to parse a web page, submit the forms, but now stuck with confirm dialog which I want to bypass
QuestionSolution is CAPTCHA , but where to find it? Pin
aschip28-Sep-08 22:51
aschip28-Sep-08 22:51 
Generalok Pin
Naga Rajendra Kumar21-Jun-06 2:13
Naga Rajendra Kumar21-Jun-06 2:13 
Questionhow to implement Pin
vjedlicka7-Jul-05 2:42
vjedlicka7-Jul-05 2:42 
AnswerRe: how to implement Pin
PSK_7-Jul-05 2:59
PSK_7-Jul-05 2:59 
GeneralRe: how to implement Pin
vjedlicka7-Jul-05 4:29
vjedlicka7-Jul-05 4:29 
GeneralRe: how to implement Pin
vjedlicka7-Jul-05 21:26
vjedlicka7-Jul-05 21:26 
GeneralRe: how to implement Pin
PSK_10-Jul-05 20:27
PSK_10-Jul-05 20:27 
GeneralGood Article Pin
Who else its Me7-Jul-05 0:56
Who else its Me7-Jul-05 0:56 
GeneralRe: Good Article Pin
PSK_7-Jul-05 3:11
PSK_7-Jul-05 3:11 
GeneralCAPTCHA is very useful for Blogs Too Pin
Vasudevan Deepak Kumar6-Jul-05 23:38
Vasudevan Deepak Kumar6-Jul-05 23:38 
GeneralDisapointing article Pin
jumacabo6-Jul-05 23:36
jumacabo6-Jul-05 23:36 
GeneralRe: Disapointing article Pin
WillemM7-Jul-05 2:11
WillemM7-Jul-05 2:11 
GeneralRe: Disapointing article Pin
PSK_7-Jul-05 3:06
PSK_7-Jul-05 3:06 
GeneralNice Idea :) Pin
ThatsAlok6-Jul-05 22:44
ThatsAlok6-Jul-05 22:44 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.