things which haven't been discussed.
I think you need to do protection against XSS and SQL Injection in
multiple layers.
1.) Web Server / Application Server Layer
2.) Pre-Application Execution
3.) Post User Input / Pre Query
1:
On IIS you can use the Microsoft tool URLScan for this, or the Aqtronix
Web Knight. I believe this capability is built into IIS 6 on Win2K3,
but I haven't used it yet to know for sure.
For Apache, you should check into mod_security. I was pretty happy when
this was released, and use it on my site.
2:
I essentially wrote a custom app which checks various scopes for various
RegEx's related to XSS and SQL Injection which are ran from
Application.cfm, as well as the detection of buffer overflow
attempts, etc. If something is violated, we get an e-mail with the
details about it, and the user is redirected gracefully.
3:
Make sure you scrub all user input, including checking the Len(Trim)) of
each parameter to make sure it's not too long. Never trust anything which
is coming in via form, url, cookie, or client variables (such as
CGI.HTTP_USER_AGENT. And as others have mentioned, proper granular
security on databases.
This is a bit on the anal side, but the software I work with requires it.
Note that pretty much all of these solutions assume you have a decent
grasp of writing RegEx's, as well as know how the various exploits can be
performed.
Thanks,
- Brandon
http://devnulled.com
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
