Is there a way to prevent ad networks from creating pop-ups in my site. I am using OpenX to manage my ads. I explicitly told the networks not to show any pop-ups. As I have many ad networks I cannot be sure which one is invoking the pop-ups.
I would imagine the ads are being generated by javascript which is run when a webbrowser opens the page.
Thus you can't do any processing or filtering on the server side to determine this, and stop it. Client side scripting to determine this would also be very hard to produce.
To expand on the client side scripting issue, if you really want to solve this problem consistently, you could create a program which mimics a user, this could then trap any popup's which are created, and log them.
You could use this to test results from referring pages, by changing your IP address, or other tests.
It really depends how much time you want to spend on this.
Incidently, your ad providor's might not like this at all, as you are possibly commiting fraud by doing this. (If they pay you for each ad view.)
My advise would be to test your webpage, and determine which ad provider is the problem.
Once you know that you can either remove them, or discuss it with them.
Related
We have an internal CRM system which is currently a website that can only be accessed inside our intranet. The boss is now wanting to have it exposed to the outside world so that people can use it from home and on the road. My concern is security based in the fact we will be exposing our Customer base to the outside world. I have implemented 3 layers of security as follows:
User Name and Strong password combination to login
SSL on all data being pushed across the line
Once the user is logged in and authenticated the server passes them a token which must be used in all communication with the server from than on.
Basically Im a bit of newb in the respect of web security. Can anyone give me advice on whether I am missing anything? Or something should be changed?
There's a whole world of stuff you should consider, and it'll be really hard to quickly answer this - so I'll point you at a range of resources that should help you out / get you started.
First, I'll plug http://security.stackexchange.com, for any specific questions you have - they could be a great help.
Now, on to more immediate things you should check:
Are your systems behind a firewall? I'd recommend at least your DB is placed on a server that is not directly available to the outside world.
Explore and run a range of (free) security tools against your site to try and find any problems. e.g.:
https://asafaweb.com
http://sectools.org/
Read up on common exploits (e.g. SQL injection) and make sure you are guarding against them:
https://www.owasp.org/index.php/Top_10_2010-Main
https://www.owasp.org/index.php/Category:Vulnerability
How is your token being passed around, and what happens to it if another user gets hold of it (e.g. after it being cached on another machine)?
Make sure you have a decent password protection policy (decent complexity, protects against brute force attacks by locking accounts after 3 attempts).
If this is a massive concern for you (consider the risk to your business in a worst case scenario) consider getting an expert in, or someone to run a security test against your systems?
Or, as mrunion excellently points out in the comments above (+1), have you considered other more secure ways of opening this up, so that you don't need to publish this on the web?
Hope that gets you started.
The reason I'm asking is because, right now we already have it setup to prompt users to share things if they're connected. But the biggest problem we have is that without the user being connected, it tries to make a popup window — which is blocked in most browsers. (vs. the iframe inline)
So, I'm trying to see what the benefit or difference in us implementing the new changes if we're already doing "timeline-like" sharing. I don't get it? Do we have to recode everything?
Last, off topic, but I'm confused about the way the referral API works actually, because the same code doesn't seem to invoke the API at all. Just display the user's name
You need to get the users "publish_actions" permission to add things to timeline. So in that sense, yes, they do need to be connected. But the advantage of that is that once you get "publish_actions" permission, the user never needs to be prompted... you just automatically share the actions they've taken by making api calls.
We have a security problem here and we really need your help and inputs. We have a website with a backend system where admins can login and update the frontend. Our good friends tried to hack into the backend using SQL injection onto our login page and they succeeded and could create a users with admin access. The website is written in ASP.NET in C#.
We are thinking to remove the login page from public IP or add 2 layers protection ( IIS ip restriction and IP access list by program).
How can we do this in IIS and in the program? Please help since I am new to all these security things.
We distribute this website on a web garden consists of 3 servers so they share local/private ips of xx.xxx.x.x
How do I implement this in my code to grand access to just a list of IPs or a group of IPs?
Thanks so much in advance,
Simplecode
Just to go a little further down this rabbit hole.
First, sanitize your inputs and use parameterized queries. Just fix your code. This is the most important thing you should be working on right now.
Second, moving the login page doesn't fix the problem. If there are other pages within your site that are accessible, then I'm sure you have other sql injection issues. See #1 above.
Third, I bet you are exposed to all manner of other things like XSS. Take a little bit and learn what they are. Then spend some time retraining yourself to code in a defensive way. A hint: validate EVERYTHING. If you expect a number, only accept a number. If you expect a short string, don't allow javascript to be embedded in it.
One mantra to keep in mind is to only trust the browser, the users, and even the system admins as far as you absolutely have to. Which is to say build your site in such a way that you don't have to trust them at all.
Most companies have no idea what threats they are faced with. A hint: external threats or only part of it. Internal threats are usually far worse. I say this simply because you are asking a question which attempts to paste over exactly one part of the problem and ignores everything else.
I recently spoke with a company that claimed they had security down pat. Prior to the meeting I went to their website and noticed that they had a document id in all of their URLs. The id was a simple int. In a few minutes of spare time I wrote an app that started at doc id 1 and iterated until the server stopped giving data. There was a fair number of documents I should never have been able to see. Being a good samaritan, I told them about this.
The point of that tale is that sql injection, xss, etc isn't everything. Security through obscurity is another fail entirely.
I build ASP.NET websites (hosted under IIS 6 usually, often with SQL Server backends and forms authentication).
Clients sometimes ask if I can check whether there are people currently browsing (and/or whether there are users currently logged in to) their website at a given moment, usually so the can safely do a deployment (they want a hotfix, for example).
I know the web is basically stateless so I can't be sure whether someone has closed the browser window, but I imagine there'd be some count of not-yet-timed-out sessions or something, and surely logged-in-users...
Is there a standard and/or easy way to check this?
Jakob's answer is correct but does rely on installing and configuring the Membership features.
A crude but simple way of tracking users online would be to store a counter in the Application object. This counter could be incremented/decremented upon their sessions starting and ending. There's an example of this on the MSDN website:
Session-State Events (MSDN Library)
Because the default Session Timeout is 20 minutes the accuracy of this method isn't guaranteed (but then that applies to any web application due to the stateless and disconnected nature of HTTP).
I know this is a pretty old question, but I figured I'd chime in. Why not use Google Analytics and view their real time dashboard? It will require minor code modifications (i.e. a single script import) and will do everything you're looking for...
You may be looking for the Membership.GetNumberOfUsersOnline method, although I'm not sure how reliable it is.
Sessions, suggested by other users, are a basic way of doing things, but are not too reliable. They can also work well in some circumstances, but not in others.
For example, if users are downloading large files or watching videos or listening to the podcasts, they may stay on the same page for hours (unless the requests to the binary data are tracked by ASP.NET too), but are still using your website.
Thus, my suggestion is to use the server logs to detect if the website is currently used by many people. It gives you the ability to:
See what sort of requests are done. It's quite easy to detect humans and crawlers, and with some experience, it's also possible to see if the human is currently doing something critical (such as writing a comment on a website, editing a document, or typing her credit card number and ordering something) or not (such as browsing).
See who is doing those requests. For example, if Google is crawling your website, it is a very bad idea to go offline, unless the search rating doesn't matter for you. On the other hand, if a bot is trying for two hours to crack your website by doing requests to different pages, you can go offline for sure.
Note: if a website has some critical areas (for example, writing this long answer, I would be angry if Stack Overflow goes offline in a few seconds just before I submit my answer), you can also send regular AJAX requests to the server while the user stays on the page. Of course, you must be careful when implementing such feature, and take in account that it will increase the bandwidth used, and will not work if the user has JavaScript disabled).
You can run command netstat and see how many active connection exist to your website ports.
Default port for http is *:80.
Default port for https is *:443.
I was wondering if it is even possible to interact with other websites using my own.
Here is the scenario:
Lets say I have a Lockerz account, which is a place where you do daily tasks to earn points. Once a month you can redeem those points to get prizes such as an ipod, macbook, or other items. I know that sounds rediculous, but stay with me.
For someone to gain membership to this website they must be invited by a member. So I get your email address then log in to my account, then send you an invite from there.
What I want to do is create a website where a user enters their email into a textbox and presses a submit button. From there the program, behind the scenes, sends my login information, and the users email address to lockerz and sends the invite. All without ever leaving my site.
I have worked with ASP.NET with VB codebehind for a while now, so I understand the basics of that. I am just wondering if what i want to do is even possible. If so, can someone redirect me to a tutorial or guide of some kind that will give me a basic knowledge on this.
Thanks
You'll have to work down at the HTTP level, sending POST and GET requests.
Fortunately, .NET has the WebRequest and WebClient classes to help you.
WebClient would probably be your best starting point... But I would hang on a second.
Websites like this tend to employ some pretty intense fraud-protection. Banning, blocking or at least ignoring actions when multiple accounts use one IP, or otherwise do things in a predictable pattern.
WebClient isn't going to load up the JavaScript either so you might you can't access required parts of the page.
Either way, you don't need to do this on your webserver - I'd start off by writing it initial connect code locally as a simple script. It'll make testing it a lot faster.