Who else wants to prevent click fraud and track PPC clicks?

3,574 views

aaahh… adsense. Everyone’s favourite advertising program. Almost everyone who owns a blog/website has it. After all, anything that generates cash is most welcomed.

For those who aren’t so sure, you might ask, what is adsense?

AdSense is an advertising program run by Google. Website owners enroll in this program to enable text and image advertisements on their sites. These ads are administered by Google and generate revenue on a per-click basis based on website content. Though it’s pretty amazing how certain people can earn 4 figure income in a day through adsense, there are 2 BIG issues that come with it.

  • Click Fraud
  • If you are hated by certain groups for something controversial that you’ve said, you’re dead. There are certain groups of people out there who pick out websites that they disagree with and destroy the webmaster’s adsense income. All that has to be done is to click on the ads multiple times, say for example 100 clicks per person. A group of 3 is already enough to get your site’s adsense suspended.

  • Tracking Visitor Clicks
  • Of course it’s all great when you get clicks, at first. As time goes on, you’d want to improve the content and layout of your site. However, you can’t see who clicked what, where that visitor came from, how many clicks that particular visitor makes, or even which advertisement he clicked on. The only thing that you and I can do in the adsense dashboard is to see the clickthrough rate and how much you’ve earned.

However, the world of adsense publishing became a better place thanks to Trevor Fitzgerald, a 20-year-old student studying Business Administration at Michigan State University, who developed this amazing nifty tool called the ‘Adlogger‘. However, you gotta be able to use FTP to upload the folder to your website.

screenshot

Guys, if you’re an adsense / YPN freak, you’re gonna love the 16 benefits that come with using the super cool, free, open source, amazing Adlogger.

  1. Track and log when a visitor clicks on one of your AdSense ads
  2. Optionally receive an email after every reported click
  3. Receive an email after every reported multiple click
  4. Secure administrative backend
  5. Know the total number of clicks and the total number of unique visitors that clicked
  6. Know the IP address, hostname, user agent, browser information, operating system of the visitor who clicked on the ad
  7. Determine which advertisment was clicked
  8. Get past click performance for a specific date or range of dates
  9. Find your best performing pages
  10. Custom channels help you monitor which pages are receiving clicks
  11. Block ads for a specific IP address or range of IPs
  12. Automatically block ads for visitors who are clicking too many within a certain time period
  13. Know exactly when, why, and for whom ads were successfully blocked
  14. If AdSense ads are blocked, you can display an alternate advertisement
  15. Code generator page to make installation and setup easySynchronize all of the reporting to Google AdSense server time

You gotta start using it, man. Actually, everyone should. =)

Adlogger
Prevent click fraud & track clicks

6 Ways On How To Prevent SQL Injections

4,509 views

Basically, SQL injections happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Any webmaster creating web applications that involves database manipulation will have to take these measures to prevent SQL injections.

According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.

  1. Keeping It Clean
  2. For example, it is important to make sure that users insert only codes that have these characters in the email field :

    • abcdefghijklmnopqrstuvwxyz
      ABCDEFGHIJKLMNOPQRSTUVWXYZ
      0123456789
      @.-_+

  3. Quotes Quotes Quotes
  4. Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ‘string quote’ and to ‘string parse’ :

    • mysql_real_escape_string() adds backslashes in front of all the quotation marks.
    • stripslashes() removes backslashes in front of the quotation marks.

  5. Bounding Parameters
    • Insecure
    • Statement s = connection.createStatement();
      ResultSet rs = s.executeQuery(“SELECT email FROM member WHERE name = ” + formField); // *boom*

    • Secure
    • PreparedStatement ps = connection.prepareStatement(“SELECT email FROM member WHERE name = ?”);
      ps.setString(1, formField);
      ResultSet rs = ps.executeQuery();

    Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.

  6. Rights Management
  7. Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.

  8. Making Use Of Stored Procedures
  9. As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.

  10. Separating TRUSTED and UNTRUSTED networks
  11. A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.

SQL Injection Attacks
Useful tips on SQL injection attacks

How To Know If My Website Is Secure

2,448 views

Hi guys. Here’s a neat, FREE software called Wikto by Sensepost which allows you and I to quickly perform web server assessments. Wikto will

  • find interesting directories and files on the web site
  • look for sample scripts that can be abused
  • find known vulnerabilities in the web server implementation itself

So I tested it out in rangit.com and found around 30 light vulnerabilities. I was a bit shocked to find such a list. Really. There were a few requests that hackers can use to execute SQL Injections. Scary but REAL. Remember, with this tool you can scan any website for their vulnerabilities. Here’s a screenshot of mine.

wikto scan

To use Wikto you need to get 2 other things.

  1. WinHTTrack
  2. HTTprint

After successfully installing all 3 softwares, go to Wikto’s ‘SystemConfig’ tab. There are 4 important things to configure for Wikto to work.

wikto sysconfig

  1. HTTrack
  2. Locate the HTTrack folder and point to the file ‘httrack.exe’ in your program files.

  3. Cache
  4. Create a new folder for storing data. I created one in C: and named it ‘Temp’. After creating, point to it.

  5. HTTPrint
  6. Locate HTTPrint folder and point to the file called ‘win32’.

  7. NiktoDB
  8. Click on the button and download the latest database for scanning. This is essential for first timers.

After that, go to the ‘Wikto’ tab and enter a website. Click ‘Start Wikto’. Basic tests commands will be carried out from NiktoDB. Watch the scanned vulnerabilities appear one by one.

The solution would be to talk to your web host about the scan results. Show what you’ve found and and see what your web host says.

Sensepost Wikto
Web server assessment tool