Posts Tagged ‘Security’

Using Asirra in ASP.Net MVC

Tuesday, January 13th, 2009

A simple helper to integrate and validate Asirra in ASP.Net MVC.

People use CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to prevent their websites from automatic posting. Asirra is such a technique which can be used to protect websites from automatic posting.

What is Asirra

Asirra is a human interactive proof that asks users to identify photos of cats and dogs. It’s powered by over three million photos from Petfinder.com.

Asirra (Animal Species Image Recognition for Restricting Access) is a HIP that works by asking users to identify photographs of cats and dogs. This task is difficult for computers, but people can accomplish it quickly and accurately. You can learn more about Asirra here MSR Asirra: A Human Interactive Proof.

How to use it

You can easily use it in your website. You can find details of how to use it from MSR Asirra Project – Installation.

I have prepared a helper to use it in ASP.Net MVC application and I will show how to use this helper in your website. First look at the following sample pictures of user registration form.

Integrate Asirra challenge

Import the namespace at the top of your view aspx page.

<%@ Import Namespace="Valentica.Helpers" %>

Then call the GenerateAsirra() method of the helper where you like to put the Asirra challenge. For example:

<%= AsirraHelper.GenerateAsirra() %>
 
// Or
// You can control where the big version of the photos appear by
// changing EnlargedPosition to Top, Bottom, Left, or Right
<%= AsirraHelper.GenerateAsirra(EnlargedPosition.Right) %>
 
// Or
// You can control the aspect ratio of the box by changing rowsPerCell value 
<%= AsirraHelper.GenerateAsirra(4) %>
 
// Or
<%= AsirraHelper.GenerateAsirra(EnlargedPosition.Right, 4) %>

Perform client side validation

To validate Asirra in client side use the following steps.

Step 1:

Call MySubmitForm() method in onsubmit properties of your form. For example:

<form id="mainForm" action="/Account/Register" method="post"
         onsubmit="return MySubmitForm();">

Step 2:

Then simply use the following javascript code.

<script type="text/javascript">
    var passThroughFormSubmit = false;
 
    function MySubmitForm()
    {
         if (passThroughFormSubmit) {
              return true;
         }
         // Do site-specific form validation here, then...
         Asirra_CheckIfHuman(HumanCheckComplete);
         return false;
    }
 
    function HumanCheckComplete(isHuman)
    {
         if (!isHuman)
         {
              alert("Please correctly identify the cats.");
         }
         else
         {
              passThroughFormSubmit = true;
              formElt = document.getElementById("mainForm");
              formElt.submit();
         }
    }
</script>

Server side validation

In your action field together with other validation use IsValidate() method of AsirraHelper.

// Validate Assira Here
if (AsirraHelper.IsValidAsirra(Request.Form["Asirra_Ticket"]))
{
    ModelState.AddModelError("Asirra_Ticket", "Asirra Invalid");
}

Try it now!

References

1. MSR Asirra: A Human Interactive Proof
2. MSR Asirra Project – Installation

Source Codes

You can download full source code from here. Asirra Sample

convert this post to pdf.

Tags: , , , ,
Posted in .Net, ASP.Net Mvc, Programming, Security, Web | 3 Comments »

Recovered My Hacked Site

Wednesday, October 8th, 2008

I was in my village for Eid vacation and out of internet. After a one week leave, I came to the capital and have found my site had been hacked. I was surprised to see that. Below the picture of my hacked site.

MyHackedSite

MyHackedSite

First I thought, my htaccess file was made changed. But I noticed only the index file was changed. I have opened a supporting ticket to my hosting site and got the following reply, which I think may be helpful for others:

Here’s some information you can use to help to identify what may have happened and how to rectify it and possibly prevent it from happening again.

The two most common entry points for a compromised website are (1) vulnerable, typically out-of-date web scripts (blogs, forums, CMS, etc.) or (2) a compromised FTP/SSH user password.
1) All web scripts you have installed under your domain should always be kept up-to-date with the most recent version available from the vendors’ website, as these often contain security patches for known issues. Older versions of well-known and popular web software (including Wordpress, phpBB, PHPNuke, PostNuke, etc.) are known to have vulnerabilities that can allow injection and execution of arbitrary code. Also make sure not to store ‘archive’ versions of old software in an open web directory — if you intend to keep these they should be stored under your FTP user’s home directory, not under a domain directory. Finally, some plugins for popular software (such as Expose for Joomla) have been found to introduce similar vulnerabilities. It’s a good idea to search the internet for information about a plugin and ensure it doesn’t have any known issues before installing.

After updating your software, it is imperative that you go through all files under all directories for the user which has been compromised and ensure that any files which have been written to / modified have been removed. It is common for ‘hackers’ that exploit web scripts to upload nocuously-named scripts which they can use to further compromise the site more easily, even after the initial vulnerability is closed — including scripts to send spam mail or execute arbitrary shell commands under your account via a simple web page interface. A helpful tip for finding files of this nature is to look for files or directories that have timestamps that occurred since you last modified your site, or that occurred around the time that the ‘hack’ took place; still it is best to examine all files as even a single missed file can allow the site to be re-compromised.

2) A bit less frequently, FTPs password can be compromised and used to modify files. The most important part of securing your account in this case is to change your FTP user’s password via the (USERS > MANAGE USERS) -> “Edit” area of the control panel. Passwords should not contain dictionary words and should be a string of at least 8 mixed-case alpha characters, numbers, and symbols. The best option for selecting a new password is to use our “Pick a password for me” feature. Check that box near the bottom of the page then click on the “Save Changes” button. The system will generate a very strong random password for this account. It will be displayed on the next page. It is recommended to always use Secure FTP (SFTP) or SSH rather than regular FTP, which sends passwords over the internet in plaintext. You should not use any passwords that you’ve used with other services, and ideally you should never use the same password for email, control panel, and FTP/SSH. Finally, you should always ensure that you’ve got up-to-date virus/malware screening on your computer to ensure that it is not compromised itself.

I have updated my webscripts to latest version and thus found my site got back. Still now, I don’t know how my site had been hacked. Have you any idea? :)

convert this post to pdf.

Tags: , , , ,
Posted in General, Personal | No Comments »