Академический Документы
Профессиональный Документы
Культура Документы
Cross-Site Scripting
Normal execution
Cross-Site Scripting
Persistent Attack: 1. C posts a message with malicious payload to a social network. 2. When B(host) reads the message, C's XSS steals B's cookie. 3. C can now hijack B's session and impersonate B.
-Check that ASP.NET request validation is enabled -Review ASP.NET code that generates HTML output - Review potentially dangerous HTML tags and attributes.
- Use trusted and proven standard algorithms for encryption Do not store secrets (passwords/ keys) in code Use the aspnet_regiis tool to encrypt configuration settings
Authorization Issues
Authorization Issues
SQL Injection
User input without sufficient validation is used to create and execute a dynamic SQL statement. User can manipulate the SQL statement that gets executed.
SQL Injection
Normal execution
SQL Injection
If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code.
* Use an account that has restricted permissions in the database: Ideally, you should only grant execute permissions to selected stored procedures in the database and provide no direct table access. * Avoid disclosing database error information:
In the event of database errors, make sure you do not disclose detailed error messages to the user.
Leads to
You can display other message in the case of an exception or a particular scenario when the verbose message is displayed as a crash
Other Bugs
Range Check The range of all the similar fields should be uniform. e.g. the phone/mobile number Back button Sometimes the Back Button present in the page causes the user data to be revealed or altered which is very serious in the case on Transactions or user information.
Bug Repetition Suppose a bug-type has been resolved, then the same bug should not be repeated. For e.g. the hotel rule was not being properly updated at an earlier time but after some patch the issue was noticed again.
Session expiry The session expiry time is also non- uniform.
Uniformity of the Error messages The error message displayed should be uniform is terms of the displayed location and type. Scrollbar Suppose the input value for a particular field is large, then there should be a scrollbar present so that the UI of the page does not gets affected.
Feedback / QnA