https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899271#M84972 <HTML><HEAD></HEAD><BODY><P>I assume the application is custom, not purchased "off the shelf"? It looks like your custom application is vulnerability to some form of URL tampering, but without more details it's hard to be sure. IDS is a signature based technology and as such doesn't do such a good job of detecting flaws in custom applications. If you allow HTTPS, it has no chance. There is something called an application firewall that is generally more effective for securing custom applications.</P><P></P><P>"isn'this some known form of SQL injection"</P><P></P><P>based on what you provided, I would say no. It looks like simple URL tampering. </P><P></P><P>"is there some good explanation about these types of attacks and what should be done to further prevent this type of attacks"</P><P></P><P>see [variable manipulation]: </P><P><A class="jive-link-custom" href="http://www.owasp.org/index.php/OWASP_AppSec_FAQ" target="_blank">http://www.owasp.org/index.php/OWASP_AppSec_FAQ</A></P><P></P><P>fix your application. knowing how to do that is beyond the scope of this forum. hopefully the owasp guide and site can help you.</P></BODY></HTML> Tue, 08 Jan 2008 13:51:31 GMT mhellman 2008-01-08T13:51:31Z https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899269#M84968 <P>hi</P><P>one of our websites was hacked, the attacker used weakness in the scripting, what he did was added to the address "<A class="jive-link-custom" href="http://www.xxx.com/details.asp?id=xxx+update+textnews" target="_blank">http://www.xxx.com/details.asp?id=xxx+update+textnews</A>+..." and by this he changed the main page.</P><P>My question is why the IPS did not detect it ? isn'this some known form of SQL injection ?</P><P></P><P>is there some good explanation about these types of attacks and what should be done to further prevent this type of attacks </P><P>Thanks a lot</P><P></P> Sun, 10 Mar 2019 10:55:57 GMT https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899269#M84968 josephium 2019-03-10T10:55:57Z https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899270#M84970 <HTML><HEAD></HEAD><BODY><P>NB: xxx is not our website i used it as a fill in the blanks instead of the original website</P></BODY></HTML> Tue, 08 Jan 2008 06:22:03 GMT https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899270#M84970 josephium 2008-01-08T06:22:03Z https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899271#M84972 <HTML><HEAD></HEAD><BODY><P>I assume the application is custom, not purchased "off the shelf"? It looks like your custom application is vulnerability to some form of URL tampering, but without more details it's hard to be sure. IDS is a signature based technology and as such doesn't do such a good job of detecting flaws in custom applications. If you allow HTTPS, it has no chance. There is something called an application firewall that is generally more effective for securing custom applications.</P><P></P><P>"isn'this some known form of SQL injection"</P><P></P><P>based on what you provided, I would say no. It looks like simple URL tampering. </P><P></P><P>"is there some good explanation about these types of attacks and what should be done to further prevent this type of attacks"</P><P></P><P>see [variable manipulation]: </P><P><A class="jive-link-custom" href="http://www.owasp.org/index.php/OWASP_AppSec_FAQ" target="_blank">http://www.owasp.org/index.php/OWASP_AppSec_FAQ</A></P><P></P><P>fix your application. knowing how to do that is beyond the scope of this forum. hopefully the owasp guide and site can help you.</P></BODY></HTML> Tue, 08 Jan 2008 13:51:31 GMT https://community.cisco.com/t5/network-security/site-hacked-and-ips-didn-t-detect-a-thing/m-p/899271#M84972 mhellman 2008-01-08T13:51:31Z