Where the Threats Come From

 

Where the Threats Come From

The concept of security implies the presence of an enemy we're protecting ourselves against. Table 15-1 summarizes the most common types of Web attacks.

Table 15-1: Common Web Attacks

Attack

Description

Cross-site scripting (XSS)

Untrusted user input is echoed to the page.

Denial of service (DoS)

The attacker floods the network with fake requests, overloading the system and blocking regular traffic.

Eavesdropping

The attacker uses a sniffer to read unencrypted network packets as they are transported on the network.

Hidden-field tampering

The attacker compromises unchecked (and trusted) hidden fields stuffed with sensitive data.

One-click

Malicious HTTP posts are sent via script.

Session hijacking

The attacker guesses or steals a valid session ID and connects over another user's session.

SQL injection

The attacker inserts malicious input that the code blissfully concatenates to form dangerous SQL commands.

The bottom line is that whenever you insert any sort of user input into the browser's markup, you potentially expose yourself to a code-injection attack (any variations of SQL injection and XSS). In addition, sensitive data should never be sent across the wire (let alone as clear text) and must be stored safely on the server.

If there's a way to write a bulletproof and tamper-resistant application, it can only consist of the combination of the following measures:

  • Coding practices data validation, type and buffer length checking, and anti-tampering measures

  • Data access strategies using roles to ensure the weakest possible account, and using stored procedures or at least parameterized commands

  • Effective storage and administration no sending of critical data down to the client, using hash codes to detect manipulation, authenticating users and protecting identities, and applying rigorous policies for passwords

As you can see, a secure application can result only from the combined efforts of developers, architects, and administrators. Don't imagine that you can get it right otherwise.

 


Programming Microsoft ASP. Net 2.0 Core Reference
Programming Microsoft ASP.NET 2.0 Core Reference
ISBN: 0735621764
EAN: 2147483647
Year: 2004
Pages: 112
Authors: Dino Esposito

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net