Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Hacking the Code ASP.NET Web Application Security [Electronic resources] - نسخه متنی

James C. Foster, Mark M. Burnett

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Table of Contents

BackCover

Hacking the Code - ASP.NET Web Application Security

Chapter 1: Managing Users

Establishing User Credentials

Managing Passwords

Resetting Lost or Forgotten Passwords

Empowering Users

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 2: Authenticating and Authorizing Users

Authenticating Users

Authorizing Users

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 3: Managing Sessions

Maintaining State

Using ASP.NET Tokens

Enhancing ASP.NET State Management

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 4: Encrypting Private Data

Using Cryptography in ASP.NET

Working with .NET Encryption Features

Protecting Communications with SSL

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 5: Filtering User Input

Handling Malicious Input

Constraining Input

Limiting Exposure to Malicious Input

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 6: Accessing Data

Securing Databases

Writing Secure Data Access Code

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 7: Developing Secure ASP.NET Applications

Writing Secure HTML

Handling Exceptions

Coding Standards Fast Track

Code Audit Fast Track

Frequently Asked Questions

Chapter 8: Securing XML

Applying XML Encryption

Applying XML Digital Signatures

Coding Standards Fast Track

Coding Audit Fast Track

Frequently Asked Questions

Appendix A: Understanding .NET Security

Code Access Security

Role-Based Security

Security Policies

Cryptography

Security Tools

Summary

Security Fast Track

Frequently Asked Questions

Appendix B: Glossary of Web Application Security Threats

Index

Index_A

Index_B

Index_C

Index_D

Index_E

Index_F

Index_G

Index_H

Index_I

Index_J

Index_K

Index_L

Index_M

Index_N

Index_O

Index_P

Index_Q

Index_R

Index_S

Index_T

Index_U

Index_V

Index_W

Index_X

Index_Z

List of Figures

List of Tables

List of Sidebars
توضیحات
افزودن یادداشت جدید






Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to and click on the form. You will alsogain access to thousands ofotherFAQs at ITFAQnet.com.












1.


Does SQL injection affect all databases or just SQL Server? Is any database more secure than another.




2.


Are there any quick black box tests I can run to see if my application is vulnerable to SQL injection?




3.


When choosing a SQL Server authentication strategy, when should I use Windows Authentication and when should I use Windows and SQL Server Authentication (mixed)?




Answers












1.


All database servers are vulnerable to SQL injection to some extent. The actual risk depends on many factors, including server features, default configuration, complexity, documentation, etc. SQL injection is more of a code issue than a database issue. If you properly filter input and follow the best practices covered in this chapter, the capabilities or vulnerabilities of the backend database should have little consequence.


2.


It is much more difficult to fully identify SQL injection vulnerabilities from the outside, they usually require a thorough code review. However, there are some checks to quickly identify SQL injection vulnerabilities. Find some form of user input, such as a web form, a query string parameter, or a cookie, and try inserting invalid characters such as a single quote or a semicolon. If you see an actual database error, chances are it is vulnerable to SQL injection. Another favorite is entering the string ‘ or 1=1-- into a web login form. Poorly written login code will sometimes accept this and log you in as the first user listed in the database.


3.


As a general rule, using Windows Authentication provides far more benefits, including a more robust authentication and authorization infrastructure, the ability to keep credentials out of connection strings, and the administrative benefits of not having to maintain a new security model (SQL Server’s native authentication and authorization mechanisms). You can simply grant SQL Server access to any Windows group(s) that need access and apply permissions accordingly. A common argument for using the mixed security model is that connection pooling is defeated when users have their own security context. Connection pooling is the ability to recycle established database connections, thus increasing connection speed for newer connections. However, in Web-based applications, it is likely that all users will share a single user context anyway when performing data access. It makes no difference from a connection pooling perspective whether the account performing the data access is a single Windows account or a native SQL Server account.


/ 96