[Apachebenchmark-sans-t4] Microsoft Tips on Avoiding Web App Intrusions
Status: Alpha
Brought to you by:
rcbarnett
Menu
▾
▴
[Apachebenchmark-sans-t4] Microsoft Tips on Avoiding Web App Intrusions
|
From: <mic...@us...> - 2003-11-19 05:08:18
|
Asp.net has slides from the "Whidbey/ASP.NET v 2.0" presentations given at the 2003 Microsoft Professional Developer Conference. http://asp.net/whidbey/pdc.aspx?tabindex=0&tabid=1 Among the presentations is one that is related to our course materials. Here's the write up from asp.net: ***** ASP.NET: Security Best Practices to Protect Against Hacker Attacks Drill down on techniques used by hackers to attack web applications, and how developers can protect against them with existing ASP.NET web applications. Leave with a checklist of security best practices to follow that will help bullet-proof your applications Download Slides Download Demos http://asp.net/whidbey/downloads/WSV400_olson_Slides.zip http://asp.net/whidbey/downloads/wsv400_olson_Demos.zip ***** One of the hints not in the course materials for preventing SQL injection is to used parameterized stored procedures and/or queries. We use them and the attack mentioned in the course example using fred'; drop table xxxx; -- failed to work on a test server. Slide 8 gives a good example of a SQL injection that is a lot different than the course materials. Also gives an example of using salted hashes (MS thinking like Unix) Lots of good nuggets in this MS presentation and some good links to additional resources. ***** More emphasis on security and better programming this time around. Still I suspect that some of the new features being promoted will be watched closely for future exploit potential. out-of-band data callbacks and bi-directional databinding look like interesting areas for study. Mike |
