Coding secure applications.

Networking/Security Forums -> Programming and More

Author: ToddKLocation: Ottawa, Canada PostPosted: Fri Nov 29, 2002 3:33 pm    Post subject: Coding secure applications.
    ----
Okay, I'm a programmer who creates web applications. I'm looking for some info on how to make these apps secure. Any links or ideas?

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Fri Nov 29, 2002 4:26 pm    Post subject:
    ----
http://www.security-forums.com/forum/viewtopic.php?t=602 is a great start, obviously it's aimed at ASP but it carries a lot of general rules for web development.

The biggest thing to watch out for is XSS, cross site scripting vunerabilities.

If you have any more technical questions feel free to ask, the majority of people here are more on the network side of security though.

There is an application for testing code security (buffer overflows etc) but it's name slips my mind, I think there is a post on here regarding it if you have a search Smile

Author: Jason PostPosted: Fri Nov 29, 2002 6:03 pm    Post subject:
    ----
Hello Toddk! Hello! Waving!

The most important stuff is input checking. never assume that providing a user with an input box with maxchars set at 20 will mean that more than 20 characters could not be entered.

Eg, a malicous user could construct their own form on a local machine, but submit it to your forms "action" field, with bad data.

When ever you are going to be displaying a users entry on other users screens, ie, a public comments area, make sure you turn the < and > into &lt; and &gt; respectivly.

Another example is drop down boxes. you provide a set of options, but do assume those options will be passed back to your script. CF users can do the following:

<cfif (form.example NEQ "option1") and (form.example NEQ "option2")>
error message
<cfelse>
do actions with data
</cfif>

sorry, i dont know php, but you should get the idea.

J


Last edited by Jason on Fri Nov 29, 2002 7:50 pm; edited 1 time in total

Author: ToddKLocation: Ottawa, Canada PostPosted: Fri Nov 29, 2002 6:07 pm    Post subject:
    ----
Thanks Jason.

I use Stored Procedures for everything. I think that this will keep me safe from SQL Injector attacks. Does anyone know for sure?

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Fri Nov 29, 2002 6:12 pm    Post subject:
    ----
I can't see how using a stored procedure over a view or anything else keeps you any safer?

It's generally just faster and more efficient, stored procedures don't intrinsically provide any protection against SQL injection.

Please correct me if I'm wrong, I'm no DBA Smile

Author: ToddKLocation: Ottawa, Canada PostPosted: Sat Nov 30, 2002 2:21 am    Post subject:
    ----
Actually, when you call a stored procedure you have to use parameters instead of just straight text. Parameters will not allow Apostrophe's and hyphen's to cause the SQL Injector attacks.

At least that's what I've heard. I've never really tested it.

Author: AverageJoeUserLocation: US PostPosted: Wed Dec 18, 2002 9:25 pm    Post subject:
    ----
Hmmm...I would say that regardless of stored procedure use or not, you should always screen for invalid meta-characters or use the ADODB.Command.Parameter.Append as best practice...in addition to securing your base DB build and limiting user privileges, of course.

-AJ



Networking/Security Forums -> Programming and More


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group