Site hacked and IPS didn't detect a thing

josephium · ‎01-07-2008

hi

one of our websites was hacked, the attacker used weakness in the scripting, what he did was added to the address "http://www.xxx.com/details.asp?id=xxx+update+textnews+..." and by this he changed the main page.

My question is why the IPS did not detect it ? isn'this some known form of SQL injection ?

is there some good explanation about these types of attacks and what should be done to further prevent this type of attacks

Thanks a lot

josephium · ‎01-07-2008

NB: xxx is not our website i used it as a fill in the blanks instead of the original website

mhellman · ‎01-08-2008

I assume the application is custom, not purchased "off the shelf"? It looks like your custom application is vulnerability to some form of URL tampering, but without more details it's hard to be sure. IDS is a signature based technology and as such doesn't do such a good job of detecting flaws in custom applications. If you allow HTTPS, it has no chance. There is something called an application firewall that is generally more effective for securing custom applications.

"isn'this some known form of SQL injection"

based on what you provided, I would say no. It looks like simple URL tampering.

"is there some good explanation about these types of attacks and what should be done to further prevent this type of attacks"

see [variable manipulation]:

http://www.owasp.org/index.php/OWASP_AppSec_FAQ

fix your application. knowing how to do that is beyond the scope of this forum. hopefully the owasp guide and site can help you.