by   February 15 2011   
XCtM Project API Developers information. XCtM API for developers. Here you should find most of the common API parameters needed to setup your API call.

Older ASP Classic Version but still kicking!

The API is still valid and 100% not for public use. This is code you would have to host or seriously need me to monitor your IIS server. It's bandwidth isn't for home lite DSL but any shared hosting and cable speeds will do. It is heavier on the server than on the actual bandwidth but it requires checks to 2 and 3 resources for every page load. Like I said, this isn't for everyone just those that need 100% monitoring of every connection to every ASP page 24/7. I've run this code since 99 and have updated it more than you see here but this is a starting point to the new version XCtM 10.x

Request parameters

ParameterValueDescription
ip string The IP address of your visitor passes or the XCtM API. Host IP if client IP if empty.
sh string Your Website Domain Name, Registered Hostname. ( Request.ServerVariables("HTTP_HOST") )
srp string Request Server Script Page. ( Request.ServerVariables("SCRIPT_NAME") )
kapi string API Key assigned by Xtreme Computer.
mode numeric Response Field Mode. 0 = Live , 1 = HTML Debug , 2 = XML Debug Default is 0
sub numeric Special Features and Sub Routines Call. Default = 0, (Feature for Commercial eCommerce Sites.)

Response fields

FieldDescription
pageid Page ID index number and page tracking identification number.
score Score: SideWiki Comment Total for Page.
uri URL: Full URL tested includes query string
status Status: Page Response Header Code.
time Time: Date / Time page was tested.
hit Hit: Number of times page was viewed.
email Email: Notification Email address on file.
ip IP Address: IP address of visitor used to prevent spam and graffiti. (Optional)
ipdec IP Address Decimal: Used for Indexing IP address. (Optional)
pgid Short Link: Reduced to Twitter Size URL for Quick Linking via Notification.
spam Spam Score: Numeric Value returned if recorded as Spam in the XCtM system. 0 = Normal 1 = Spam. (Optional)
hack Hack Score: SQL and Malformed URL Injection attempts: 0 = Normal, 1 or Higher = Hack attempt.
ban Ban Score: IP address deemed to be hostile, returns score of 1+ recommend ban IP connection. 0 = Normal.

Terms of use

This project will be heading up to SourceForge soon enough. I'll be doing the main development and testing here and as I roll out the updates you'll be able to pick them up.

The old and new versions should help new programmers or those that inherited ASP Classic and need a little inside look at SQL injection prevention.


XCtM Project API Code for ASP Classic                                                                                

XCtM Project API Code for ASP Classic. .Net, HTML and PhP will be updated soon enough. This is for our developers to start updating this code. Please only use this as a design guide. Our live code has changed since verion Beta 1.0 current version is 1.7.

XCtM Project API Code for ASP will be updated here before the download page. Be sure to check for Version Revisions and Feature Additions from time to time.

The Functions of the Client Side Code API:
The XCtM API has changed and is very much different then the first version that I submitted a few weeks back.

After testing every possible query string you could think of and even testing query strings and url length (2500 characters) I thought it would be better to encode things before you send it to cut down on the bandwidth required to send a single byte.

Function Line:

APS/SQL

 Call XCtMv1_2(SWIPCheck(),("HTTP_HOST"),("SCRIPT_NAME"),QueryString,FormItem,"api_key","0","0") 

First we need to pass the visitors IP address:

 Function SWIPCheck '# Test shortened version of IP lookup
strSWIPCheck = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If Len(strSWIPCheck) <> 0 Then
If Len(strSWIPCheck) >= 15 Then
If InStr(strSWIPCheck, ",") > 0 then
strSWIPCheck = Left(strSWIPCheck, InStr(strSWIPCheck, ",")-1)
ElseIf InStr(strSWIPCheck, ";") > 0 then
strSWIPCheck = Left(strSWIPCheck, InStr(strSWIPCheck, ";")-1)
ElseIf InStr(strSWIPCheck, ":") > 0 then
strSWIPCheck = Left(strSWIPCheck, InStr(strSWIPCheck, ":")-1)
End If
End If
End If
If Len(strSWIPCheck) = 0 Or Left(strSWIPCheck,3) = "10." Or Left(strSWIPCheck,4) = "172." Or Left(strSWIPCheck,4) = "192." Or Left(strSWIPCheck,4) = "127." Then
strSWIPCheck = Request.ServerVariables("REMOTE_ADDR")
End If
If Len(strSWIPCheck) = 0 Or Left(strSWIPCheck,3) = "10." Or Left(strSWIPCheck,4) = "172." Or Left(strSWIPCheck,4) = "192." Or Left(strSWIPCheck,4) = "127." Then
strSWIPCheck = Request.ServerVariables("HTTP_CLIENT_IP")
End If

If Len(strSWIPCheck) <> 0 Then

If Len(strSWIPCheck) >= 15 Then
If InStr(strSWIPCheck, ",") > 0 then
strSWIPCheck = Left(strSWIPCheck, InStr(strSWIPCheck, ",")-1)
ElseIf InStr(strSWIPCheck, ";") > 0 then
strSWIPCheck = Left(strSWIPCheck, InStr(strSWIPCheck, ";")-1)
ElseIf InStr(strSWIPCheck, ":") > 0 then
strSWIPCheck = Left(strSWIPCheck, InStr(strSWIPCheck, ":")-1)
End If
End If
End If

If Len(strSWIPCheck) = 0 Then
strSWIPCheck = "0.0.0.0"
End If
SWIPCheck = strSWIPCheck
End Function

The idea here is to get the same connection IP address and not the "Unknown" 0.0.0.0 . Reports come in when that happens so I can debug things and look at what was going on when it stopped pulling the same IP. I've only seen this happen in a forum where an IP was included with the API. But that will be corrected if it actually is a way to spoof the API. (Not really but sounded good.)

Now that we have the IP of our visitor we to Identify from what site this information is coming from.
The XCtM Project isn't just Spam defense but much more so every connection to the host server requires the Remote Host Name and API Key or the connection is dropped the functions ended.

You'll be assigned an API key after you register with the site and the forums making sure your profile lists the site you will be using the API on. Each Key is assigned to a single host but you can be grouped by your single membership account.

 Call XCtMv1_2(SWIPCheck(),"www.xtremecomputer.com","SCRIPT_NAME"),QueryString,FormItem,"api_key","0","0") 

Script_Name / Page File Name / URL
We now need to know what page your visitor is on.
This can be anything and everything after the host name.
www.xtremecomputer.com/ "Script_Name"
Example: /test/one/two/default.asp or just /test/one/two/
This applies to standard .htm, .html, .php, .cgi, .aspx etc.
It will read what you send from the ServerVariables("SCRIPT_NAME") .

 Call XCtMv1_2(SWIPCheck(),"www.xtremecomputer.com","SCRIPT_NAME"),QueryString,FormItem,"api_key","0","0") 



So we should now have something ready to send.
www.xtremecomputer.com /default.asp

Next we want to read the QueryString if any and the Form Information if any.

You do not have to send this information if you are only using the API to monitor static or rewrite pages.
But if SQL injection comes around you'll never know. Or if someone posts a=1'a=1 in your login fields you'll never know.

But it's all good whatever you want to use the API for as long as it is for good.

Now we face the biggest issue of all.
How do you send your Query Strings when using a Query String?

I'll tell you this much. It was nearly impossible to explain to a person how it's done but it works and that's on the server side.
I offer two ways of sending query strings from the Client Side API.
You can send it as one string which is just with the Request.QueryString or you can encode it.

Now what benefits do you have using the encoded string?
Lots!
Let's say you start testing and you start making URLs 2,500 characters in length. That's one big string to mess with but if I told you some of the best Hack strings are just short of 1,450 characters you might start thinking that's allow of information to be sending on every page load.

So what I've included for the client side is a simple method of encoding these long strings.
You don't have to use it because the Server Side API will take unecoded or encoded information.

 

XCtM Project API Developers information. XCtM API for developers. Here you should find most of the common API parameters needed to setup your API call.