3

I have HealthMonitoring on for my website. 90% of my pages are accessed in the format 

http://www.itsmywebsite.com/showproduct.aspx?id=somenumber

I was checking the WebEvents_events tables and saw that my table is full of primarily two errors

ERROR 1

0002609ad8vdf45f8daffc7de8716e32    2013-11-25 17:01:18.153 2013-11-25 11:01:18.153 System.Web.Management.WebViewStateFailureAuditEvent 9877    1455    4009    50204   Viewstate verification failed. Reason: Viewstate was invalid.   C:\HostingSpaces\parthak\itsmywebsite.com\wwwroot\  /   C15472-132183   http://www.itsmywebsite.com/showproduct.aspx    NULL    Event code: 4009
    Event message: Viewstate verification failed. Reason: Viewstate was invalid.
    Event time: 11/25/2013 11:01:18 AM
    Event time (UTC): 11/25/2013 5:01:18 PM
    Event ID: 0002609ad8vdf45f8daffc7de8716e32
    Event sequence: 9877
    Event occurrence: 1455
    Event detail code: 50204

    Application information:
        Application domain: /LM/W3SVC/94/ROOT-1-1302342423433586
        Trust level: Full
        Application Virtual Path: /
        Application Path: C:\HostingSpaces\parthak\itsmywebsite.com\wwwroot\
        Machine name: C15472-132183

    Process information:
        Process ID: 28796
        Process name: w3wp.exe
        Account name: C15472-132183\itsmywebsitecom_web

    Request information:
        Request URL: http://www.itsmywebsite.com/showproduct.aspx
        Request path: /showproduct.aspx
        User host address: 186.xx.xxx.xx
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: C15472-132183\itsmywebsitecom_web

    ViewStateException information:
        Exception message: Invalid viewstate. 
        Client IP: 186.xx.xxx.xx
        Port: 29991
        Referer: 
        Path: /showproduct.aspx
        User-Agent: Mozilla/4.0 (compatible; Synapse)

ERROR 2 

0034c75464ecdd32dee41996bfe 2013-11-24 13:19:52.360 2013-11-24 07:19:52.360 System.Web.Management.WebRequestErrorEvent  8727    1313    3005    0   An unhandled exception has occurred.    C:\HostingSpaces\parthak\itsmywebsite.com\wwwroot\  /   C15472-132183   http://www.itsmywebsite.com/showproduct.aspx?id=-1%27   System.FormatException  Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/24/2013 7:19:52 AM
Event time (UTC): 11/24/2013 1:19:52 PM
Event ID: 0034c75464ecdd32dee41996bfe
Event sequence: 8727
Event occurrence: 1313
Event detail code: 0

Application information:
    Application domain: /LM/W3SVC/94/ROOT-1-1302342423433586
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\HostingSpaces\parthak\itsmywebsite.com\wwwroot\
    Machine name: C15472-132183

Process information:
    Process ID: 14932
    Process name: w3wp.exe
    Account name: C15472-132183\itsmywebsitecom_web

Exception information:
    Exception type: System.FormatException
    Exception message: Input string was not in a correct format.

Request information:
    Request URL: http://www.itsmywebsite.com/showproduct.aspx?id=-1%27
    Request path: /showproduct.aspx
    User host address: 178.xxx.xxx.xxx
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: C15472-132183\itsmywebsitecom_web

Thread information:
    Thread ID: 31
    Thread account name: C15472-132183\itsmywebsitecom_web
    Is impersonating: False
    Stack trace:    at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)
   at System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info)
   at System.String.System.IConvertible.ToInt32(IFormatProvider provider)
   at System.Convert.ChangeType(Object value, TypeCode typeCode, IFormatProvider provider)
   at System.Web.UI.WebControls.Parameter.GetValue(Object value, String defaultValue, TypeCode type, Boolean convertEmptyStringToNull, Boolean ignoreNullableTypeChanges)
   at System.Web.UI.WebControls.Parameter.GetValue(Object value, Boolean ignoreNullableTypeChanges)
   at System.Web.UI.WebControls.Parameter.get_ParameterValue()
   at System.Web.UI.WebControls.ParameterCollection.GetValues(HttpContext context, Control control)
   at System.Web.UI.WebControls.ObjectDataSourceView.ExecuteSelect(DataSourceSelectArguments arguments)
   at System.Web.UI.WebControls.BaseDataList.GetData()
   at System.Web.UI.WebControls.DataList.CreateControlHierarchy(Boolean useDataSource)
   at System.Web.UI.WebControls.BaseDataList.OnDataBinding(EventArgs e)
   at System.Web.UI.WebControls.BaseDataList.DataBind()
   at System.Web.UI.WebControls.BaseDataList.EnsureDataBound()
   at System.Web.UI.WebControls.BaseDataList.CreateChildControls()
   at System.Web.UI.Control.EnsureChildControls()
   at System.Web.UI.WebControls.BaseDataList.get_Controls()
   at MB.TheBeerHouse.Helpers.SetInputControlsHighlight(Control container, String className, Boolean onlyTextBoxes)
   at MB.TheBeerHouse.Helpers.SetInputControlsHighlight(Control container, String className, Boolean onlyTextBoxes)
   at MB.TheBeerHouse.Helpers.SetInputControlsHighlight(Control container, String className, Boolean onlyTextBoxes)
   at MB.TheBeerHouse.Helpers.SetInputControlsHighlight(Control container, String className, Boolean onlyTextBoxes)
   at MB.TheBeerHouse.Helpers.SetInputControlsHighlight(Control container, String className, Boolean onlyTextBoxes)
   at MB.TheBeerHouse.UI.BasePage.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Please guide me how to prevent these errors from occuring.

Update:

The worst part is the -1%27 appended to urls'. Now that I check again, it's used in the following url's

http://www.itsmywebsite.com/showproduct.aspx?id=-1%27 [invalid]
http://www.itsmywebsite.com/browseproduct.aspx?id=-1%27 [invalid]

and so on. None of these url's exist and my Health Monitoring is logging all these errors. I have around 100K of those now in my table.

A valid url is http://www.itsmywebsite.com/showproduct.aspx?id=127

If there's no way to prevent them, can I handle them in my code by redirection or any other best practice so that it does not generate an error and fill up my table

CuriousDev
  • 1,255
  • 1
  • 21
  • 44

3 Answers3

3

You had been targeted with an SQL Injection attack either by a bot or by some random hacker looking for Credit Cards in shops. Online shops are constantly attacked and your will have more attacks that you can imagine.

In order to prevent this kind of attacks you could install a Web Application Firewall such as mod_security (available for IIS and Apache). The plugin will check the provided request, analyze it and stop every attack intent before it's passed to you application.

Web Application Firewalls are just one more mitigation measure, the real solution is to have a secure code. In this particular case you could implement Stacked Queries, limiting permissions, validating input (In this case your app should catch the error first and handle it properly when it's not receiving an Integer parameter) and handling errors properly (such as showing a custom page and not default errors which could expose internal information). Just for naming a few.

In case you need to know anything in special just let me know.

Igarr
  • 166
  • 2
  • 12
  • I was able to solve the -1 problem by using . However how do I block requests which do not contain any parameter, say url's of this kind http://www.itsmywebsite.com/showproduct.aspx which does not contain a query string like an ID. The correct format is http://www.itsmywebsite.com/showproduct.aspx?ID=xx. Btw, thanks for mod_security info. – CuriousDev Dec 03 '13 at 09:02
  • This is what is happening right here. We get these at our work a few times a month. It's an automated attack. – Darren Kopp Dec 04 '13 at 21:53
2

Error 1 see here: Invalid viewstate error

Error 2 it appears that -1' was passed in as a query string parameter, which can't be parsed as a number. If you are sure that this URL didn't originate from your application, then it probably is an automated bot probing your website for vulnerabilities. There is not much you can do about this.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • Thanks for answering. But that in that case how is it that with every new error, it contains a new User host address. I have atleast 100,000 errors logged on my site and I randomnly checked 500 of them and all had different IP addresses – CuriousDev Nov 27 '13 at 12:41
  • It could be a reference in your code, unintentionally passing that query parameter. Can you log the `referer` header to see which page it originates from? – SilverlightFox Nov 27 '13 at 12:44
  • I am pretty sure it originates from http://www.itsmywebsite.com/showproduct.aspx although that's not really a page. An ideal page is http://www.itsmywebsite.com/showproduct.aspx?id=[somenumber]. How do I log referer header? – CuriousDev Nov 27 '13 at 12:55
  • For Error1, I have tried both the solutions ie. installed the .browser defn that were breaking IE10 on ASP.NET 4 as well as generated a machinekey manually – CuriousDev Nov 27 '13 at 12:56
0

If there's no way to prevent them, can I handle them in my code by redirection or any other best practice so that it does not generate an error and fill up my table

Assumming it is a 'good' bot, like a search engine, then you just need to make sure the returned http status is a 404. That is, not found. Alternatively a 50x status would do.

That means you are telling the potential search engine that whatever URL they tried to access to access is really invalid. Now, if it really multiple similar URLs there is nothing to stop a 'good' search engine from checking all linked all linked content.

On the other hand, if its a 'bad' bot crawling your site, then you can't really prevent it. You can't only make sure the end points you are exposing are safe. In asp.net then you don't want to disable default settings that check the viewstate is on by default, so you want to make sure that everything works as is.

eglasius
  • 35,831
  • 5
  • 65
  • 110