Netsparker identified that password data is sent over HTTP.
Impact
If an attacker can intercept network traffic he/she can steal users credentials.
Actions to Take
See the remedy for solution.
Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.
Remedy
All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
Netsparker identified that the target web application does not use MAC validation in ViewState data.
Impact
An attacker can tamper with the application's state variables located in the ViewState data structure.
Remedy
ASP.NET uses a hash code based integrity solution called "ViewStateMac" to protect ViewState parameters against tampering attacks. You can implement this solution on a page or application level.
For page based protection, place the following directive at the top of affected page.
<%@Page EnableViewStateMAC=true %>
You can also set this option for the whole application by using web.config files. Apply the following configuration for your application's web.config file.
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.
Netsparker believes that there is a XSS (Cross-site Scripting) in here it could not confirm it. We strongly recommend investigating the issue manually to ensure that it is an XSS (Cross-site Scripting) and needs to be addressed.
XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.
Impact
There are many different attacks that can be leveraged through the use of XSS, including:
Hi-jacking users' active session
Changing the look of the page within the victims browser.
Mounting a successful phishing attack.
Intercept data and perform man-in-the-middle attacks.
Remedy
The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.
There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.
This page responses with HTTP redirect status therefore detected XSS vulnerability might not be exploitable in many conditions however it still indicates lack of correct filtering and should be addressed.
Request
GET /ib1/?'"--></style></script><script>netsparker(0x000A9D)</script> HTTP/1.1 Referer: http://www.ip2location.com/sitemap.xml User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.ip2location.com Cookie: ASP.NET_SessionId=xsedntjlq0hssu45r03ill55; firstvisit=firstvisit=2011-03-21 9:44:6; ip2locationshoppingcart=91=1&88=1&90=20; ASPSESSIONIDCCCSTRCB=GKOODNEDCMMAHMENGLCOFLEF Accept-Encoding: gzip, deflate
Response
HTTP/1.1 302 Found Date: Mon, 21 Mar 2011 01:46:42 GMT Server: Microsoft-IIS/6.0 Location: http://tools.ip2location.com/ib1?'"--></style></script><script>netsparker(0x000A9D)</script> Content-Length: 278 Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1><p>The document has moved <a href="http://tools.ip2location.com/ib1?'"--></style></script><script>netsparker(0x000A9D)</script>">here</a>.</p></body></html>
This page responses with HTTP redirect status therefore detected XSS vulnerability might not be exploitable in many conditions however it still indicates lack of correct filtering and should be addressed.
Request
GET /ib2/?'"--></style></script><script>netsparker(0x000AA5)</script> HTTP/1.1 Referer: http://www.ip2location.com/sitemap.xml User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.ip2location.com Cookie: ASP.NET_SessionId=xsedntjlq0hssu45r03ill55; firstvisit=firstvisit=2011-03-21 9:44:6; ip2locationshoppingcart=91=1&88=1&90=20; ASPSESSIONIDCCCSTRCB=GKOODNEDCMMAHMENGLCOFLEF Accept-Encoding: gzip, deflate
Response
HTTP/1.1 302 Found Date: Mon, 21 Mar 2011 01:46:42 GMT Server: Microsoft-IIS/6.0 Location: http://tools.ip2location.com/ib2?'"--></style></script><script>netsparker(0x000AA5)</script> Content-Length: 278 Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1><p>The document has moved <a href="http://tools.ip2location.com/ib2?'"--></style></script><script>netsparker(0x000AA5)</script>">here</a>.</p></body></html>
Internal Server Error
Internal Server Error
1
TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.
Impact
The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.
Remedy
Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
<html> <head> <title>A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Lucida Console";font-size: .9em} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; } </style> </head>
<body bgcolor="white">
<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
<h2> <i>A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").</i> </h2></span>
<b> Description: </b>Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. <br><br>
<b> Exception Details: </b>System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").<br><br>
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +240 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99 System.Web.HttpRequest.get_QueryString() +122 System.Web.UI.Page.GetCollectionBasedOnMethod() +85 System.Web.UI.Page.DeterminePostBackMode() +128 System.Web.UI.Page.ProcessRequestMain() +2112 System.Web.UI.Page.ProcessRequest() +218 System.Web.UI.Page.ProcessRequest(HttpContext context) +18 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87 </pre></code>
</td> </tr> </table>
<br>
<hr width=100% size=1 color=silver>
<b>Version Information:</b> Microsoft .NET Framework Version:1.1.4322.2443; ASP.NET Version:1.1.4322.2470
</font>
</body> </html> <!-- [HttpRequestValidationException]: A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_QueryString() at System.Web.UI.Page.GetCollectionBasedOnMethod() at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain() at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->
Auto Complete Enabled
Auto Complete Enabled
1
TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".
Impact
Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.
Remedy
Add the attribute autocomplete="off" to the form tag or to individual "input" fields.
Actions to Take
See the remedy for the solution.
Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.
Required Skills for Successful Exploitation
Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..
Impact
During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.
Actions to Take
See the remedy for solution
Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.
Remedy
Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
Netsparker identified that the target web server is disclosing ASP.NET version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks. It was leaked from X-AspNet-Version banner of HTTP response or default ASP.NET error page.
Impact
An attacker can use disclosed information to harvest specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or web server.
Remedy
Apply the following changes on your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses.
<html> <head> <title>A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Lucida Console";font-size: .9em} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; } </style> </head>
<body bgcolor="white">
<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
<h2> <i>A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").</i> </h2></span>
<b> Description: </b>Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. <br><br>
<b> Exception Details: </b>System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").<br><br>
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc...").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +240 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99 System.Web.HttpRequest.get_QueryString() +122 System.Web.UI.Page.GetCollectionBasedOnMethod() +85 System.Web.UI.Page.DeterminePostBackMode() +128 System.Web.UI.Page.ProcessRequestMain() +2112 System.Web.UI.Page.ProcessRequest() +218 System.Web.UI.Page.ProcessRequest(HttpContext context) +18 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87 </pre></code>
</td> </tr> </table>
<br>
<hr width=100% size=1 color=silver>
<b>Version Information:</b> Microsoft .NET Framework Version:1.1.4322.2443; ASP.NET Version:1.1.4322.2470
</font>
</body> </html> <!-- [HttpRequestValidationException]: A potentially dangerous Request.QueryString value was detected from the client (btnLogin="'"--></style></script><sc..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_QueryString() at System.Web.UI.Page.GetCollectionBasedOnMethod() at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain() at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->
ViewState is not Encrypted
ViewState is not Encrypted
1
TOTAL
LOW
Netsparker identified that the target web application doesn't use encryption on ViewState data.
Impact
An attacker can study the application's state management logic for possible vulnerabilities and if your application stores application-critical information in the ViewState; it will also be revealed.
Remedy
ASP.NET provides encryption for ViewState parameters.
For page based protection, place the following directive at the top of affected page.
<%@Page ViewStateEncryptionMode="Always" %>
You can also set this option for the whole application by using web.config files. Apply the following configuration for your application's web.config file.
Netsparker discovered an internal IP address in the page. It was not determined if the IP address was that of the system itself or that of an internal network.
Impact
This kind of information can be useful for an attacker when combined with other vulnerabilities.
Remedy
First ensure that this is not a false positive. Due to the nature of the issue. Netsparker could not confirm that this IP address was actually the real internal IP address of the target web server or internal network. If it is then consider removing it.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>IP Address Quick Reference Guide</title> <meta content="IP2Location™ IP Address Quick Reference Guide. Download and Print IP Address Command Syntax in Windows, DOS, Linux and Unix Quick Reference Guide. Request IP Address Quick Reference Guide in PDF Format." name="description"> <meta content="IP command, IP commands, IP addressing commands, TCP/IP commands, TCP/IP quick reference, DOS/Windosw IP Commands, Unix IP Commands, Linux IP Commands, TCP/IP configuration commands, IP command reference" name="keywords"> <LINK href="style.css" type="text/css" rel="stylesheet"> </HEAD> <body > <form name="Form1" method="post" action="ip-address-quick-reference-guide.aspx" id="Form1" onSubmit="document.getElementById('txtSecurityCode').value='28240';"> <input type="hidden" name="__VIEWSTATE" value="dDwtNDE4MDQ5Nzg4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDE+O2k8Mz47PjtsPHQ8O2w8aTwxPjtpPDM+O2k8NT47aTw3Pjs+O2w8dDxwPGw8VmlzaWJsZTs+O2w8bzxmPjs+Pjs7Pjt0PHA8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Pjs7Pjt0PHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Ozs+O3Q8cDxsPHNyYzs+O2w8aW1hZ2VzL2xvZ2luLmdpZjs+Pjs7Pjs+Pjt0PHA8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Pjs7Pjs+Pjs+Pjs+bL6fLL5wSevxqDyiHAl5ooRbu2w=" />
<br> <span class="fontgrayregular"> <b>Introduction</b><br><br> <u>What is an IP Address?</u><br> An Internet Protocol (IP) address is a numerical identification of logical address that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes. IP addresses are usually displayed in human-readable notations, such as 208.77.188.166 (for IPv4) and 2001:db8:0:1234:0:567:1:1 (for IPv6). <br><br> The original designers of TCP/IP defined an IP address as a 32-bit number and this system, now named Internet Protocol Version 4 (IPv4), is still in use today. A new addressing system (IPv6) using 128 bits for the address was developed (RFC 1883) due to the enormous growth of the Internet and the resulting depletion of the address space. <br><br> The Internet Protocol also routes data packets between networks and IP addresses specify the locations of the source and destination nodes in the topology of the routing system. <br><br><br><br> <u>IP Versions</u><br> The Internet Protocol (IP) has two versions and each version has its own definition of an IP address. The generic term IP address still refers to the addresses defined by IPv4. <br><br> IP version 4 addresses: IPv4 uses 32-bit (4 bytes) addresses, which limits the address space to 4,294,967,296 (232) possible unique addresses. IPv4 also reserves some addresses for special purposes such as private networks or multicast addresses. <br><br> IP version 6 addresses: IPv6 uses 128 bits (16 bytes) and provides the potential for a maximum of 2128 new addresses space, or about 3.403 × 1038 unique addresses. <br><br><br><br> <u>Static and Dynamic IP addresses</u><br> When a computer is configured to use the same IP address each time it powers up, this is known as a Static IP address. Dynamic IP address refers to the computer's IP address which is assigned automatically. Uses of static addressing: Some infrastructure situations have to use static addressing, when finding the Domain Name System host that will translate domain names to IP addresses. <br><br> Uses of dynamic addressing: Dynamic IP addresses are most frequently assigned on LANs and broadband networks by Dynamic Host Configuration Protocol (DHCP) servers. It avoids the administrative burden of assigning specific static addresses to each device on a network and allows many devices to share limited address space on a network. <br><br><br><br> <b>IP Address Command Syntax in Windows, DOS, Linux and Unix</b><br><br> <table width="780" bordercolor="#003399" border="1" style="border-collapse: collapse;" class="fontgrayregular"> <tr bgcolor="#006699" align="center"> <td style="color: white;"><b>Windows / DOS</b></td> <td style="color: white;"><b>Linux</b></td> <td style="color: white;"><b>Unix</b></td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /all</div> Display full configuration information. </td> <td> <div style="font-family: Courier New;">ifconfig</div> Display current configuration for all NIC's. </td> <td> <div style="font-family: Courier New;">ifconfig</div> Display current configuration for all NIC's. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /release [adapter]</div> Release the IP address for the specified adapter. </td> <td> <div style="font-family: Courier New;">ifconfig eth0</div> Display current configuration for eth0. </td> <td> <div style="font-family: Courier New;">ifconfig dc0</div> Display current configuration for dc0. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /renew [adapter]</div> Renew the IP address for the specified adapter. </td> <td> <div style="font-family: Courier New;">ifconfig eth0 192.168.1.2</div> Assign IP address 192.168.1.2 to eth0. </td> <td> <div style="font-family: Courier New;">ifconfig dc0 inet 192.168.1.2 netmask 255.255.255.0</div> Assign IP/Subnet to dc0. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /flushdns</div> Purge the DNS Resolver cache. </td> <td> <div style="font-family: Courier New;">ifconfig eth0:0 192.168.1.2</div> Assign multiple IP's to eth0. </td> <td> <div style="font-family: Courier New;">route delete default && route add default 192.168.1.1</div> Assign default gateway. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /registerdns</div> Refresh all DHCP leases and re-register DNS names. </td> <td> <div style="font-family: Courier New;">ifconfig eth0:1 192.168.1.3</div> Assign second IP address to eth0:. </td> <td> <div style="font-family: Courier New;">ifconfig dc0:0 192.168.1.2</div> Assign multiple IP's to dc0. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /displaydns</div> Display the contents of the DNS Resolver Cache. </td> <td> <div style="font-family: Courier New;">route add default gw 192.168.1.1</div> Assign default gateway. </td> <td> <div style="font-family: Courier New;">ifconfig dc0:1 192.168.1.3</div> Assign second IP to dc0. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /showclassid adapter</div> Display all the DHCP class IDs allowed for adapter. </td> <td> <div style="font-family: Courier New;">ifconfig eth0 down</div> Disable network interface card. </td> <td> <div style="font-family: Courier New;">ifconfig dc0 down</div> Disable network card. </td> </tr> <tr> <td> <div style="font-family: Courier New;">ipconfig /setclassid adapter [classid]</div> Modify the DHCP class id. </td> <td> <div style="font-family: Courier New;">ifconfig eth0 up</div> Enable network interface card. </td> <td> <div style="font-family: Courier New;">ifconfig dc0 up</div> Enable network card. </td> </tr> <tr> <td> <div style="font-family: Courier New;">control netconnections</div> Launch "Network Connections". </td> <td> <div style="font-family: Courier New;">ifconfig eth0 192.168.1.2 netmask 255.255.255.0</div> Assign IP/Subnet to eth0. </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">netsetup.cpl</div> Launch "Network Setup Wizard". </td> <td> <div style="font-family: Courier New;">route / route -n</div> View current routing table. </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">ping www.ip2location.com</div> Send ping packet to www.ip2location.com to test network connectivity. </td> <td> <div style="font-family: Courier New;">arp / arp -n</div> View arp cache </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">tracert www.ip2location.com</div> Trace network route from desktop to www.ip2location.com. </td> <td> <div style="font-family: Courier New;">ping -c 3 www.ip2location.com</div> Send ping packet to www.ip2location.com to test network connectivity. </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">route</div> Display and manipulate network routing tables. </td> <td> <div style="font-family: Courier New;">traceroute www.ip2location.com</div> Trace network route from desktop to www.ip2location.com. </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">netstat</div> Displays the TCP/IP protocol sessions </td> <td> <div style="font-family: Courier New;">tracepath www.ip2location.com</div> Trace network path from desktop to www.ip2location.com. </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">arp</div> Display resolved MAC addresses. </td> <td> <div style="font-family: Courier New;">host www.ip2location.com</div> DNS test using www.ip2location.com. </td> <td> </td> </tr> <tr> <td> <div style="font-family: Courier New;">hostname</div> Display name of computer currently on. </td> <td> <div style="font-family: Courier New;">host 44.11.22.33</div> Reverse host lookup by IP address. </td> <td> </td> </tr> <tr> <td> </td> <td> <div style="font-family: Courier New;">dig www.ip2location.com</div> Advanced DNS test using www.ip2location.com. </td> <td> </td> </tr> <tr> <td> </td> <td> <div style="font-family: Courier New;">dig -x 44.11.22.33</div> Advanced reverse DNS lookup by IP address. </td> <td> </td> </tr> </table> <br> <font color="red">*</font> Please get the table in PDF format using the below form if you want to print it out or forward it to your friends. <br><br><br><br> <b>About IP2Location.com</b><br> IP2Location is a geoIP solution to help you to identify visitor’s geographical location, i.e. country, region, city, latitude, longitude, ZIP code, time zone, connection speed, ISP and domain name, IDD country code, area code, weather station code and name using a proprietary IP address lookup database and technology without invading the Internet user’s privacy. For more information please visit <a href="http://www.ip2location.com">http://www.ip2location.com</a>. <br><br><br><br> </span> </td> </tr> <TR> <TD align=center> <div id="pnlRequest">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be displayed</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be displayed</h1> You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed. <hr> <p>Please try the following:</p> <ul> <li>Contact the Web site administrator if you believe this directory should allow execute access.</li> </ul> <h2>HTTP Error 403.1 - Forbidden: Execute access is denied.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Configuring ISAPI Extensions</b>, <b>Configuring CGI Applications</b>, <b>Securing Your Site with Web Site Permissions</b>, and <b>About Custom Error Messages</b>.</li> <li>In the IIS Software Development Kit (SDK) or at the <a href="http://go.microsoft.com/fwlink/?LinkId=8181">MSDN Online Library</a>, search for topics titled <b>Developing ISAPI Extensions</b>, <b>ISAPI and CGI</b>, and <b>Debugging ISAPI Extensions and Filters</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
E-mail Address Disclosure
E-mail Address Disclosure
1
TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.
Impact
E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .
Remedy
Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.
Impact
An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.
Remediation
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
Netsparker identified a possibly sensitive Robots.txt file with potentially sensitive content.
Impact
Depending on the content of the file, an attacker might discover hidden directories. Ensure that you have got nothing sensitive exposed within this folder such as the path of the administration panel.
Remedy
If disallowed paths are sensitive, do not write them in the robots.txt and ensure that they correctly protected by means of authentication.
GET /robots.txt HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.ip2location.com Cookie: ASP.NET_SessionId=hvn3ghec0iybbw45uquc4s3c; firstvisit=firstvisit=2011-03-21 9:39:35 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Content-Length: 61 Content-Type: text/plain Content-Encoding: Last-Modified: Mon, 20 Dec 2010 08:16:58 GMT Accept-Ranges: bytes ETag: "07929451ea0cb1:8c4" Vary: Accept-Encoding Server: Microsoft-IIS/6.0 Date: Mon, 21 Mar 2011 01:39:37 GMT
User-agent: * Disallow:
ASP.NET Debugging Enabled
ASP.NET Debugging Enabled
1
TOTAL
INFORMATION
Netsparker identified that ASP.NET Debugging is enabled.
Impact
This indicates that the debugging flag was left enabled in the production system. There is no direct impact of this issue and it is presented here only for information.
Remedy
Apply the following changes on your web.config file to disable ASP.NET debugging.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>Apache Module</title> <meta name="description" content="IP2Location™ Apache Module enables the user to identify the country, region, city, latitude, longitude, zip code, time zone, ISP, domain name, connection type, area code and weather by IP address."> <meta name="keywords" content="apache, apache module, ip location, ip locator, ip search, ip lookup location, ip address locator, ip locate, ip to country"> <LINK href="style.css" type="text/css" rel="stylesheet"> </HEAD> <body> <form name="Form1" method="post" action="apache.aspx" id="Form1"> <input type="hidden" name="__VIEWSTATE" value="dDwtMTczNjE0OTQ3Nzt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjs+O2w8dDw7bDxpPDE+O2k8Mz47aTw1PjtpPDc+Oz47bDx0PHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Ozs+O3Q8cDxwPGw8VmlzaWJsZTs+O2w8bzxmPjs+Pjs+Ozs+O3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47dDxwPGw8c3JjOz47bDxpbWFnZXMvbG9naW4uZ2lmOz4+Ozs+Oz4+Oz4+Oz4+O2w8UmlnaHRCbG9jazE6YnRuRmluZExvY2F0aW9uOz4+sBp0Y3Ooa4BUEN0gp6EyM1UzSOk=" />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>C Language API Library</title> <meta name="description" content="IP2Location™ C Library enables the user to find the country, region, city, coordinates, zip code, time zone, ISP, domain name, connection type, area code and weather that any IP address or hostname originates from."> <meta name="keywords" content="c, c language, c library, ip geolocation, ip lookup location, ip address locator, search ip address, ip country, ip locate, ip to country"> <LINK href="style.css" type="text/css" rel="stylesheet"> </HEAD> <body> <form name="Form1" method="post" action="c.aspx" id="Form1"> <input type="hidden" name="__VIEWSTATE" value="dDwtMTczNjE0OTQ3Nzt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjs+O2w8dDw7bDxpPDE+O2k8Mz47aTw1PjtpPDc+Oz47bDx0PHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Ozs+O3Q8cDxwPGw8VmlzaWJsZTs+O2w8bzxmPjs+Pjs+Ozs+O3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47dDxwPGw8c3JjOz47bDxpbWFnZXMvbG9naW4uZ2lmOz4+Ozs+Oz4+Oz4+Oz4+O2w8UmlnaHRCbG9jazE6YnRuRmluZExvY2F0aW9uOz4+sEie7uTYU5fYYOzOLKTbgF+fdSM=" />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>C Language API Library</title> <meta name="description" content="IP2Location™ C Library enables the user to find the country, region, city, coordinates, zip code, time zone, ISP, domain name, connection type, area code and weather that any IP address or hostname originates from."> <meta name="keywords" content="c, c language, c library, ip geolocation, ip lookup location, ip address locator, search ip address, ip country, ip locate, ip to country"> <LINK href="style.css" type="text/css" rel="stylesheet"> </HEAD> <body> <form name="Form1" method="post" action="c.aspx" id="Form1"> <input type="hidden" name="__VIEWSTATE" value="dDwtMTczNjE0OTQ3Nzt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjs+O2w8dDw7bDxpPDE+O2k8Mz47aTw1PjtpPDc+Oz47bDx0PHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Ozs+O3Q8cDxwPGw8VmlzaWJsZTs+O2w8bzxmPjs+Pjs+Ozs+O3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47dDxwPGw8c3JjOz47bDxpbWFnZXMvbG9naW4uZ2lmOz4+Ozs+Oz4+Oz4+Oz4+O2w8UmlnaHRCbG9jazE6YnRuRmluZExvY2F0aW9uOz4+sEie7uTYU5fYYOzOLKTbgF+fdSM=" />
Netsparker identified an internal path in the document.
Impact
There is no direct impact however this information can help an attacker either to identify other vulnerabilities or during the exploitation of other identified vulnerabilities.
Remedy
First ensure that this is not a false positive. Due to the nature of the issue. Netsparker could not confirm that this file path was actually the real file path of the target web server.
Error messages should be disabled.
Remove this kind of sensitive data from the output.
<HEAD> <TITLE>Article - Redirect Web Visitors By Country Using .NET Framework in C# or VB.NET</TITLE></HEAD> <link rel="stylesheet" href="location.css" type="text/css"> <style type="text/css"> <!-- .style1 {font-family: "Courier New", Courier, monospace} --></style>
<p><b> <CENTER>Redirect Web Visitors By Country Using .NET Framework in C# or VB.NET<BR> </CENTER> <CENTER> </CENTER> <CENTER><BR> Hexasoft Development Sdn. Bhd. (645996-K)</b><br> 1-2-15 Mayang Mall Complex,<br> Jalan Mayang Pasir 1,<br> 11950 Bandar Bayan Baru,<br> Penang, Malaysia.<br> URL: <a class="black" href="http://www.ip2location.com">http://www.ip2location.com </a> <br> <br> { <a class="black" href="mailto:sales@ip2location.com">sales@ip2location.com</a> }<BR> </CENTER><p> </p> <P align="left"> There are times when it is useful to redirect a visitor to different default web page based on the visitor's country of origin. One practical usage is to redirect visitor to web page with the language recognized by the visitor.</P>This article shows you how by using .NET component, it can be done. <P></P> <p>Let us take a simple case study. Company XYZ is multi-national company with major customers from United States and Japan. The company official website is developed in both English and Japanese languages. The default page is in English language and visitor can switch to Japanese by changing the default language option. There exists a potential problem when a Japanese visitor does not understand English and it could not navigate the web site. So let us develop a simple solution to help Company XYZ redirecting all Internet traffic from country Japan to the Japanese language site. Meanwhile it drives the rest traffic to English site. <p style="Z-INDEX: 0">In this example, we use a fully functional IP2Location� .NET component available at <a class="black" href="http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP" target="_blank">http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP </a>to query country by visitor's IP address. Firstly, install the IP2Location� .NET component. The IP2Location� .NET component will be installed in your local drive. Next, get the IP2Location.DLL .NET component and sample database from the directory, ie. c:\Program Files\IP2Location by default. You need to add a reference to this component from your Visual Studio web project. A copy of this component will be copied into /bin directory under the project. For unregistered component, there is a random 5-second delay in one out of ten queries.</p> <p>Let's assume the English web page as index_en.htm and Japanese web page as index_jp.htm. We implement a simple script default.asp to detect visitor's country of origin. If the visitor is from Japan, then redirect him/her to index_jp.htm, otherwise index_en.htm. Simple? Here is the code and the comments serve as explanation default.asp.</p> <p><b>Sample Codes in VB.NET Webform</b><br> ------------------------------</p> <p align="left"> <span class="style1">Imports IP2Location<br> Private Sub Query(ByVal strIPAddress As String)<br> Dim oIPResult As New IP2Location.IPResult<br> Try<br> If strIPAddress <> "" Then<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN"<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress)<br> Select Case oIPResult.Status<br> Case "OK"<br> If oIPResult.CountryShort = "JP" Then<br> ' Visitor is from Japan<br> ' Redirect the URL to index_jp.htm<br> Response.Redirect("index_jp.htm")<br> Else<br> ' Visitor is not from Japan<br> ' Redirect the URL to index_en.htm<br> Response.Redirect("index_en.htm")<br> End If <br> Case "EMPTY_IP_ADDRESS"<br> Response.Write("IP Address cannot be blank.")<br> Case "INVALID_IP_ADDRESS"<br> Response.Write("Invalid IP Address.")<br> Case "MISSING_FILE"<br> Response.Write("Invalid Database Path.")<br> End Select<br> Else<br> Response.Write("IP Address cannot be blank.")<br> End If<br> Catch ex As Exception<br> Response.Write(ex.Message)<br> Finally<br> oIPResult = Nothing<br> End Try<br> End Sub</span></p>
<p><b>Sample Codes in C# Webform<br> </b>--------------------------</p> <span class="style1">Using IP2Location;<br> private void Query(string strIPAddress)<br> {<br> IPResult oIPResult = new IP2Location.IPResult();<br> try<br> {<br> if (strIPAddress != "")<br> {<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN";<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress);<br> switch(oIPResult.Status.ToString())<br> {<br> case "OK":<br> if (oIPResult.CountryShort == "JP") {<br> Response.Redirect("index_jp.htm")<br> } else {<br> Response.Redirect("index_en.htm")<br> }<br> break;<br> case "EMPTY_IP_ADDRESS":<br> Response.Write("IP Address cannot be blank.");<br> break;<br> case "INVALID_IP_ADDRESS":<br> Response.Write("Invalid IP Address.");<br> break;<br> case "MISSING_FILE":<br> Response.Write("Invalid Database Path.");<br> break;<br> }<br> }<br> else<br> {<br> Response.Write("IP Address cannot be blank.");<br> }<br> }<br> catch(Exception ex)<br> {<br> Response.Write(ex.Message);<br> }<br> finally<br> {<br> oIPResult = null;<br> }<br> } <P></P> </span> <p>Compile and upload this project to the web site. All visitors will go through this screening before redirect to an appropriate web page.<br> </p>
<p><center>Hexasoft Development Sdn. Bhd. � 2001-2011 All Right Reserved</center> <P></P> <p><center>To obtain permission to reuse or republish this article, please write to <a class="black" href="mailto:sales@ip2location.com"> sales@ip2location.com</a>. Republication is welcome for no charge.</center> <P></P>
<HEAD> <TITLE>Article - Display Advertisement by Country Using .NET Framework in C# or VB.NET</TITLE></HEAD> <link rel="stylesheet" href="location.css" type="text/css"> <style type="text/css"> <!-- .style1 {font-family: "Courier New", Courier, monospace} --></style> <p><center> <strong>Display Advertisement by Country Using .NET Framework in C# or VB.NET<br> </strong> <br> <br> <STRONG>Hexasoft Development Sdn. Bhd. (645996-K)</B><br> </STRONG>1-2-15 Mayang Mall Complex,<br> Jalan Mayang Pasir 1,<br> 11950 Bandar Bayan Baru,<br> Penang, Malaysia.<br> <CENTER>URL: <a href="http://www.ip2location.com" class="black"><strong>http://www.ip2location.com</strong></a><br> <br> { <a class="black" href="mailto:sales@ip2location.com">sales@ip2location.com</a> }<br> </CENTER> <P></P> <p>Online advertising is another way to promote company products. It�s very important to show the right advertisements to the right consumers to have an optimum respond. A company selling their products in Japan showing their advertisement to visitors from United States is totally ineffective. On the other hand, localized advertisements catch visitor attention and improve sales.<br> </p> <p><br> In this example, we use a fully functional IP2Location� .NET component available at <a href="http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP" class="black"> http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP</a> to query country by visitor's IP address. Firstly, install the IP2Location� .NET component. The IP2Location� .NET component will be installed in your local drive. Next, get the IP2Location.DLL .NET component and sample database from the directory, ie. c:\Program Files\IP2Location by default. You need to add a reference to this component from your Visual Studio web project. A copy of this component will be copied into /bin directory under the project. For unregistered component, there is a random 5-second delay in one out of ten queries.</p> <p><b>Sample Codes in VB.NET Webform</b><br> ------------------------------</p> <p><span class="style1">Imports IP2Location<br> Private Sub Query(ByVal strIPAddress As String)<br> Dim oIPResult As New IP2Location.IPResult<br> Try<br> If strIPAddress <> "" Then<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN"<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress)<br> Select Case oIPResult.Status<br> Case "OK"<br> If oIPResult.CountryShort = "JP" Then<br> ' Visitor is from Japan<br> ' Show advertisement from JP<br> Response.Write "<img src=\"Japan.jpg\" border=\"0\" width=\"100\" height=\"200\">"<br> Else<br> ' Visitor is not from Japan<br> ' Show other advertisement<br> Response.Write "<img src=\"US.jpg\" border=\"0\" width=\"100\" height=\"200\">"<br> End If <br> Case "EMPTY_IP_ADDRESS"<br> Response.Write("IP Address cannot be blank.")<br> Case "INVALID_IP_ADDRESS"<br> Response.Write("Invalid IP Address.")<br> Case "MISSING_FILE"<br> Response.Write("Invalid Database Path.")<br> End Select<br> Else<br> Response.Write("IP Address cannot be blank.")<br> End If<br> Catch ex As Exception<br> <br> Finally<br> oIPResult = Nothing<br> End Try<br> End Sub</span><br> <br> <p><b>Sample Codes in C# Webform</b><br> --------------------------</p> <p><span class="style1">Using IP2Location;<br> private void Query(string strIPAddress)<br> {<br> IPResult oIPResult = new IP2Location.IPResult();<br> try<br> {<br> if (strIPAddress != "")<br> {<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN";<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress);<br> switch(oIPResult.Status.ToString())<br> {<br> case "OK":<br> if (oIPResult.CountryShort == "JP") {<br> Response.Write "<img src=\"Japan.jpg\" border=\"0\" width=\"100\" height=\"200\">"<br> }<br> else {<br> Response.Write "<img src=\"US.jpg\" border=\"0\" width=\"100\" height=\"200\">"<br> }<br> break;<br> case "EMPTY_IP_ADDRESS":<br> Response.Write("IP Address cannot be blank.");<br> break;<br> case "INVALID_IP_ADDRESS":<br> Response.Write("Invalid IP Address.");<br> break;<br> case "MISSING_FILE":<br> Response.Write("Invalid Database Path.");<br> break;<br> }<br> }<br> else<br> {<br> Response.Write("IP Address cannot be blank.");<br> }<br> }<br> catch(Exception ex)<br> {<br> ;<br> }<br> finally<br> {<br> oIPResult = null;<br> }<br> }</span></p> <p align="left"> </p> <p align="left"> </p> <p><center>Hexasoft Development Sdn. Bhd. � 2001-2011 All Right Reserved</center> <P></P> <p><center>To obtain permission to reuse or republish this article, please write to <a class="black" href="mailto:sales@ip2location.com"> sales@ip2location.com</a>. Republication is welcome for no charge.</center> <P></P> </center>
<HEAD> <TITLE>Article - Credit Card Fraud Prevention Using .NET Framework in C# or VB.NET</TITLE></HEAD> <link rel="stylesheet" href="location.css" type="text/css"> <style type="text/css"> <!-- .style1 {font-family: "Courier New", Courier, monospace} --></style> <p><b> <CENTER>Credit Card Fraud Prevention Using .NET Framework in C# or VB.NET<BR> </CENTER> <CENTER><BR> <BR> Hexasoft Development Sdn. Bhd. (645996-K)</b><br> 1-2-15 Mayang Mall Complex,<br> Jalan Mayang Pasir 1,<br> 11950 Bandar Bayan Baru,<br> Penang, Malaysia.<br> URL: <a class="black" href="http://www.ip2location.com">http://www.ip2location.com </a> </A><br> <br> { <a class="black" href="mailto:sales@ip2location.com">sales@ip2location.com</a> }<br></CENTER> <P></P> <p align="left"> Credit card fraud has become pervasive on the Internet. According to MasterCard International, account takeover fraud has increased by 369% since 1995. It has become one of the fastest growing types of fraud, and one of the more difficult to combat. More than $700 million in online sales were lost to fraud in 2001, representing 1.14 percent of total annual online sales of $61.8 billion, according to GartnerG2. Even if the credit card company has given the authorization as to the validity of the card, there are several ways fraudulent cards can be used on your site. The card may have been lost or stolen, but the card owner is yet to report its loss. Or the number on the card (and not the card itself) may have been lifted without the knowledge of the owner. There is also a scam called identity theft, where the card has been issued under false pretenses using someone else's identity and data.<br> <br> As an online merchant, you need to have a system to check the authenticity of orders placed to safeguard your business. While the effort may require additional time and money, it can save you the cost and stress caused by charge-backs for fraudulent orders. You lost your physical products; you lose the sale price; you lose another business opportunity; and you will be fined an additional $15-$50 charge-back fee. If you have a high percentage of charge-backs, your card services company can even blacklist you and cancel your merchant account. You will also spend time looking up the order and provide the requested information to your card services company. All of these hassles are things you can surely do without.<br> <br> How can you protect your business from credit card frauds? Here are a few steps that can be taken to ensure that the transaction is being requested by the real cardholder.<br> <br> <b>Suspect shipping address.</b><br> According to ClearCommerce Corporation, a provider of payment processing and fraud protection software for e-commerce, orders from Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia and Pakistan have a very high incidence of fraud, and often have unverifiable addresses.<br> <br> <b>Untraceable email address.</b><br> In many fraudulent orders, the customer's email address is often at one of the free email services, like hotmail.com and yahoo.com, which are relatively untraceable.<br> <br> <b>Expensive items.</b><br> Be wary of expensive orders, especially for expensive brand-name items.<br> <br> <b>Multiple items.</b><br> It can be a bad sign, for example, if someone orders three X-Box or three DVD players at once, especially where the items have a high resale value.<br> <br> <b>Express shipping.</b><br> Most fraudulent orders specify overnight or 1-day shipping without hesitation.<br> <br> <b>Shipping address differs from billing address.</b><br> Receiving point and billing address are different in fraud orders. If you are selling valuable items, it can be a good policy only to ship to the billing address of the card's holder.<br> <br> <b>Suspicious billing address.</b><br> The address looks too simple or invalid. If the billing address is 123 Main St, New York, the order is probably fraud. You can use or online location tool to see if the address can be verified.<br> <br> <b>Leave at door or post office box.</b><br> If the courier service cannot guarantee delivery of goods, the risk of fraud is very high.<br> <br> The advancement of geo-targeting in the Internet allows us to pinpoint the geographical region for an order. The information can be used to reduce the fraud by verifying it with the billing address and delivery address. This method can identify the scenario where someone from country X has stolen the credit card data from country Y. The IP address lookup service will reveal the real country instead of relying on the country filled in the order form.<br> <br> IP2Location� provides technology to translate IP address to country origin. The lookup table is available in several formats such as database and COM. It is the perfect solution to automate the fraud detection using client side programming languages like C++ & Visual Basic; or service side programming languages like ASP, PHP, JSP and CFML.<br> <br> For example, company XYZ received a credit-card order from IP address 161.139.12.3. The order details are as following:<br> <b>Name:</b> John Ma<br> <b>Address:</b> 123 Main St<br> <b>City:</b> New York<br> <b>ZIP Code:</b> 11111<br> <b>Country:</b> United States<br> <b>Tel:</b> (503) 111-1111<br> <b>Credit Card No:</b> 1234 5678 9012 3456<br> <b>Expired Date:</b> December 2010<br> <br> Credit card merchant processor will authorize this order if the billing address matches the order details. Unluckily, the credit card data has been stolen earlier by Mr. ABC from another country through the Internet. Later, he made a purchase of digital products from company XYZ using the information. His order approved by the merchant because all the details matched John's record in the bank's database. IP2Location� technology can filter the difference between order's country and record's country upfront to protect your business. You can classify this kind of order for manual inspection before delivering the goods. You will be surprise how much this method will help in identifying fraud orders.<br> <br> In this example, we use a fully functional IP2Location� .NET component available at <a class="black" href="http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP" target="_blank">http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP </a>to query country by visitor's IP address. Firstly, install the IP2Location� .NET component. The IP2Location� .NET component will be installed in your local drive. Next, get the IP2Location.DLL .NET component and sample database from the directory, ie. c:\Program Files\IP2Location by default. You need to add a reference to this component from your Visual Studio web project. A copy of this component will be copied into /bin directory under the project. For unregistered component, there is a random 5-second delay in one out of ten queries.</p> <p><b>Sample Codes in VB.NET Webform</b><br> ------------------------------</p> <p align="left"> <span class="style1">Imports IP2Location<br> Private Sub Query(ByVal strIPAddress As String, billingCountry As String)<br> Dim oIPResult As New IP2Location.IPResult<br> Try<br> If strIPAddress <> "" Then<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN"<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress)<br> Select Case oIPResult.Status<br> Case "OK"<br> If oIPResult.CountryShort = billingCountry Then<br> ' buyer is from the same country by IP address<br> Else<br> ' buyer is from the different country by IP address<br> End If <br> Case "EMPTY_IP_ADDRESS"<br> Response.Write("IP Address cannot be blank.")<br> Case "INVALID_IP_ADDRESS"<br> Response.Write("Invalid IP Address.")<br> Case "MISSING_FILE"<br> Response.Write("Invalid Database Path.")<br> End Select<br> Else<br> Response.Write("IP Address cannot be blank.")<br> End If<br> Catch ex As Exception<br> Response.Write(ex.Message)<br> Finally<br> oIPResult = Nothing<br> End Try<br> End Sub</span> </p> <br> <b>Sample Codes in C# Webform</b><br> --------------------------<br> <p align="left"><span class="style1">Using IP2Location;<br> private void Query(string strIPAddress, string billingCountry)<br> {<br> IPResult oIPResult = new IP2Location.IPResult();<br> try<br> {<br> if (strIPAddress != "")<br> {<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN";<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress);<br> switch(oIPResult.Status.ToString())<br> {<br> case "OK":<br> if (oIPResult.CountryShort == billingCountry) {<br> // buyer is from the same country by IP address<br> } else {<br> // buyer is from the different country by IP address<br> }<br> break;<br> case "EMPTY_IP_ADDRESS":<br> Response.Write("IP Address cannot be blank.");<br> break;<br> case "INVALID_IP_ADDRESS":<br> Response.Write("Invalid IP Address.");<br> break;<br> case "MISSING_FILE":<br> Response.Write("Invalid Database Path.");<br> break;<br> }<br> }<br> else<br> {<br> Response.Write("IP Address cannot be blank.");<br> }<br> }<br> catch(Exception ex)<br> {<br> Response.Write(ex.Message);<br> }<br> finally<br> {<br> oIPResult = null;<br> }<br> }</span></p> <p>Compile and upload this project to the web site. All visitors will go through this screening before redirect to an appropriate web page.<br> </p> <p><center>Hexa Software Development Center � 2001-2011 All Right Reserved</center> <P></P> <p><center>To obtain permission to reuse or republish this article, please write to <a class="black" href="mailto:sales@ip2location.com"> sales@ip2location.com</a>. Republication is welcome for no charge.</center> <P></P>
<HEAD> <TITLE>Article - Determine Web Visitors Country of Origin in the Drop Down List using .NET Framework in C# or VB.NET</TITLE></HEAD> <link rel="stylesheet" href="location.css" type="text/css"> <style type="text/css"> <!-- .style1 {font-family: "Courier New", Courier, monospace} --></style> <p> <CENTER> <strong>Determine Web Visitors Country of Origin in the Drop Down List using .NET Framework in C# or VB.NET</strong> <br> <br> <br> <STRONG>Hexasoft Development Sdn. Bhd. (645996-K)</B><br> </STRONG>1-2-15 Mayang Mall Complex,<br> Jalan Mayang Pasir 1,<br> 11950 Bandar Bayan Baru,<br> Penang, Malaysia.</CENTER> <CENTER>URL: <a href="http://www.ip2location.com" class="black"><strong>http://www.ip2location.com</strong></a></CENTER> <CENTER><br> { <a class="black" href="mailto:sales@ip2location.com">sales@ip2location.com</a> }<br> </CENTER> <P></P> <p> With the emergence of online technologies such as the Internet, people and businesses have increased their reliance and use of these mediums as an avenue for commerce as it can be more convenient. During the transaction online, there are times when it is important to preset the web visitor's country of origin, ZIP code, ISP and domain name at the drop down list to prevent fraud and to ease the complexity of registration task. This article shows you how by using .NET Framework, it can be done.</p> <p>Let us take a simple example of a user login from Canada and he needs to fill up a shopping cart. The form may be quite complex as some businesses need more information to prevent fraud. In this case, there are needs to preset certain info in the drop down list such as country of origin, ZIP code, ip and domain name of where the users login. As a result, the drop down list in this example will preset to Cananda, with the correct zip code and ip address.</p> <p> <br> In this example, we use a fully functional IP2Location� .NET component available at <a class="black" href="http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP" target="_blank">http://www.ip2location.net/download/IP2LocationDotNetComponent.ZIP </a>to query country by visitor's IP address. Firstly, install the IP2Location� .NET component. The IP2Location� .NET component will be installed in your local drive. Next, get the IP2Location.DLL .NET component and sample database from the directory, ie. c:\Program Files\IP2Location by default. You need to add a reference to this component from your Visual Studio web project. A copy of this component will be copied into /bin directory under the project. For unregistered component, there is a random 5-second delay in one out of ten queries.</p> <p><b>Sample Codes in VB.NET Webform</b><br> ------------------------------</p> <p><span class="style1">Imports IP2Location<br> Private Sub Query(ByVal strIPAddress As String)<br> Dim oIPResult As New IP2Location.IPResult<br> Try<br> If strIPAddress <> "" Then<br> IP2Location.Component.IPDatabasePath = "C:\\Program Files\\IP2Location\\Database\\IP-COUNTRY.SAMPLE.BIN"<br> oIPResult = IP2Location.Component.IPQuery(strIPAddress)<br> Select Case oIPResult.Status<br> Case "OK"<br> If oIPResult.CountryShort <> "-" Then<br> Response.Write("<select name=country>")<br> Response.Write("<option value="&<br> oIPResult.CountryShort & ">" & oIPResult.CountryLong & "</option>")<br> Response.Write("<option value=AF>AFGHANISTAN</option>")<br> Response.Write("<option value=AL>ALBANIA</option>")<br> Response.Write("<option value=DZ>ALGERIA</option>")<br> Response.Write("<option value=AS>AMERICAN SAMOA</option>")<br> Response.Write("<option value=AD>ANDORRA</option>")<br> Response.Write("<option value=AO>ANGOLA</option>")<br> Response.Write("<option value=AI>ANGUILLA</option>")<br> Response.Write("<option value=AQ>ANTARCTICA</option>")<br> Response.Write("<option value=AG>ANTIGUA AND BARBUDA</option>")<br> Response.Write("<option value=AR>ARGENTINA</option>")<br> Response.Write("<option value=AM>ARMENIA</option>")<br> Response.Write("<option value=AW>ARUBA</option>")<br> Response.Write("<option value=AP>ASIA PACIFIC</option>")<br> Response.Write("<option value=AU>AUSTRALIA</option>")<br> Response.Write("<option value=AT>AUSTRIA</option>")<br> Response.Write("<option value=AZ>AZERBAIJAN</option>")<br> Response.Write("<option value=BS>BAHAMAS</option>")<br> Response.Write("<option value=BH>BAHRAIN</option>")<br> Response.Write("<option value=BD>BANGLADESH</option>")<br> Response.Write("<option value=BB>BARBADOS</option>")<br> Response.Write("<option value=BY>BELARUS</option>")<br> Response.Write("<option value=BE>BELGIUM</option>")<br> Response.Write("<option value=BZ>BELIZE</option>")<br> Response.Write("<option value=BJ>BENIN</option>")<br> Response.Write("<option value=BM>BERMUDA</option>")<br> Response.Write("<option value=BT>BHUTAN</option>")<br> Response.Write("<option value=BO>BOLIVIA</option>")<br> Response.Write("<option value=BA>BOSNIA AND HERZEGOWINA</option>")<br> Response.Write("<option value=BW>BOTSWANA</option>")<br> Response.Write("<option value=BV>BOUVET ISLAND</option>")<br> Response.Write("<option value=BR>BRAZIL</option>")<br> Response.Write("<option value=IO>BRITISH INDIAN OCEAN TERRITORY</option>")<br> Response.Write("<option value=BN>BRUNEI DARUSSALAM</option>")<br> Response.Write("<option value=BG>BULGARIA</option>")<br> Response.Write("<option value=BF>BURKINA FASO</option>")<br> Response.Write("<option value=BI>BURUNDI</option>")<br> Response.Write("<option value=KH>CAMBODIA</option>")<br> Response.Write("<option value=CM>CAMEROON</option>")<br> Response.Write("<option value=CA>CANADA</option>")<br> Response.Write("<option value=CV>CAPE VERDE</option>")<br> Response.Write("<option value=KY>CAYMAN ISLANDS</option>")<br> Response.Write("<option value=CF>CENTRAL AFRICAN REPUBLIC</option>")<br> Response.Write("<option value=TD>CHAD</option>")<br> Response.Write("<option value=CL>CHILE</option>")<br> Response.Write("<option value=CN>CHINA</option>")<br> Response.Write("<option value=CX>CHRISTMAS ISLAND</option>")<br> Response.Write("<option value=CC>COCOS (KEELING) ISLANDS</option>")<br> Response.Write("<option value=CO>COLOMBIA</option>")<br> Response.Write("<option value=KM>COMOROS</option>")<br> Response.Write("<option value=CG>CONGO</option>")<br> Response.Write("<option value=CD>CONGO, THE DEMOCRATIC REPUBLIC OF THE</option>")<br> Response.Write("<option value=CK>COOK ISLANDS</option>")<br> Response.Write("<option value=CR>COSTA RICA</option>")<br> Response.Write("<option value=CI>COTE D'IVOIRE</option>")<br> Response.Write("<option value=HR>CROATIA</option>")<br> Response.Write("<option value=CU>CUBA</option>")<br> Response.Write("<option value=CY>CYPRUS</option>")<br> Response.Write("<option value=CZ>CZECH REPUBLIC</option>")<br> Response.Write("<option value=CS>CZECHOSLOVAKIA (FORMER)</option>")<br> Response.Write("<option value=DK>DENMARK</option>")<br> Res..