Index_D | Improving Web Application Security: Threats and Countermeasures

D

dangerous permissions, 627

data. See also DNS

caching, 625

constraining options, 264

flow, 53

privacy and integrity on the network, 399

session, 290

source names , 448, 649

tampering described, 32, 3536

type validation, 631

validation, 78

data access. See also data access code

ASP.NET application and Web services, 579580

assemblies, 167, 375

authentication, 379

authorization, 381382

checklists, 717719

code access security, 209210

components , 393395

configuration management, 384

configuration to ASP.NET application, 579580

data access assemblies, 375

deployment considerations, 397399

design considerations, 372375

DPAPI, 374

exception management, 389393

input validation, 376

overview, 367368

sensitive data, 386388

SQL injection, 376

threats and countermeasures, 368369

validating input used for, 270

windows authentication, 379

data access code

code review, 640642

threats and attacks to, 369

data protection API. See DPAPI

data streams

classes, 619

validating, 170171

data-bound controls for cross-site scripting, 273

database connections

closing, 642

code review, 640641

data access, 391

pooling, 85

strings, 109

database servers

checklists, 729733

configuration, 670677

how to secure, lxix

installing certificates on, 536

methodology, 506508

overview, 501502

remote administration, 539540

restricting communication, 783

security categories, 506

snapshopt of ideal security for, 533535

SQL Server installation considerations, 509510

staying secure, 536538

steps for securing, 511

threats and countermeasures, 502503

databases

authenticating, 109110

objects, 532533

permissions, 531, 676

restricting applications in, 383

schemas and connection details, 371

securing sensitive data in, 641

date fields, 267

db_datareader, 531

db_datawriter, 531

DCOM

impersonation levels, 497

static endpoints, 492

debug compiles, 463464

debugging ASP.NET application and Web services, 571

declarative security, 135136

declarative security attribute, 624

DecryptionkeyProvider class, 338

default ASP.NET process account, 578

default credentials, 356

default ports, 568

DefaultCredentials, 250

delay signing, 157158

delegates

checklists, 737

code access security, 217218

code review, 622

described, 169170

permission issues, 217218

delegation, unconstrained, 301, 306307

demand / assert pattern, 204

demands, 625

code access security, 184

denial of service attacks

ASP.NET application and Web services, 583

described, 17, 20, 22, 41

how to secure against, lxxi

network security, 407408

remoted objects, 364

Web servers, 424

deny methods , 185

deployment

checklists, 689, 710, 719

considerations, 72

core elements of reviewing, 644

data access considerations, 397399

Enterprise Services configurations, 314

and infrastructure of applications, 100

overview of reviewing, 643644

problems of, xlviii

remoting, 348

secure Web services considerations, 343

serviced components condsiderations, 314316

Web server configuration review, 644651

design

checklist of considerations, 715

checklists, 690, 695, 705

data access considerations, 372375

guidelines for applications, 9799

remoted components considerations, 352

secure Web services considerations, 324325

serviced components considerations, 302303

Web application vulnerabilities issues, 7172

Web pages and controls considerations, 260263

design review. See architecture

detection of patch management, 748750

developer workstations, how to secure, lxv, 765775

development solutions, lxivlxviii

DFD, 53

dictionary attacks described, 30

digital signature algorithms, 179

directed broadcast traffic, 411

director services, 210

directories

checklists, 725, 730

data server configuration, 673

vulnerabilities, 428

Web server configuration, 648649

Web servers, 446

directory access control, 284

directory service, 210

DirectoryServicesPermission, 142, 210

requesting, 211

DirectoryServicesPermissionAttribute, 210, 211

disclosure of confidential data, 32

disclosure of configuration data

data access, 370

secure Web services, 323

DisplayCustomerInfo method, 382

dispose methods synchronization, 172, 618

distributed transaction coordinator , 102

distributed transactions, 671

Dllhost.exe, 303, 666

DLLs, 498

DNS

code access security, 213

names, 249250

servers, 414

DnsPermission, 142, 213214

documentation protocol, 664

domain name restrictions, 654

Domain Name System. See DNS

do's and don'ts, 728

Dotfuscator, 173

DPAPI

in AppSettings, 547

ASP.NET application and Web services, 584

to avoid key management, 288

calling from a medium trust Web application, 819822

and CRYPTPROTECT_LOCAL_MACHINE flag, 374

data access, 374

and key management, 93

and storing secrets, 306

storing sensitive data in, 88

updating managed wrapper code, 817819

DREAD, 6365

DSA. See digital signature algorithm

DTC

application server, 490

application server requirements, 483484

firewalls, 303, 318, 523

serviced components requirements, 316

dynamic port allocation, 483

dynamic SQL, 378

dynamic web server, 457

dynamically compiled assemblies, 230