Wednesday, October 6, 2010

Securing websites from Penentration test

  1. SQL injection
    1.  Use stored procedures , use parameterized dynamic SQL queries
    2. Sanitize input parameters which are coming from UI before feeding them into stored procedures or dynamic SQL statements 
      1. Use stored procedures as you can
      2. Use parametrized in-line SQL query
      3. SQL safe your queries by : Replace("'","''").Replace(";","")
  2.  Cross site scripting 
    1. Securing cookies
    2. Turning off cross site scripting HttpOnly 
    3. HTML encoding all user inputs before storing in DB
  3. Prevent file system traversal
    1. Allowing filenames containing “../..” could allow the hacker to traverse through file system
  4.  IIS 6 vulnerabilities on file extensions 
    1. Filename.asp.jpg is ran as an asp page!
    2. Keep your web servers up-to-date  with OS patches




Related Links:
  1. http://www.owasp.org/index.php/Main_Page
  2. http://msdn.microsoft.com/en-us/library/ff649310.aspx
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)