tags:

views:

61

answers:

6
+1  Q: 

How to ensure website security checks

Hi;

How to safe gaurd a form against script injection attacks. This is one of the most used form of attacks in which attacker attempts to inject a JS script through form field. The validation for this case must check for special characters in the form fields. Look for suggestions, recommedations at internet/jquery etc for permissible characters & character masking validation JS codes.

+1  A: 

You can use the HTML Purifier (in case you are under PHP or you might have other options for the language you are under) to avoid XSS (cross-site-scripting) attacks to great level but remember no solution is perfect or 100% reliable. This should help you and always remember server-side validation is always best rather than relying on javascript which bad guys can bypass easily disabling javascript.

For SQL Injection, you need to escape invalid characters from queries that can be used to manipulate or inject your queries and use type-casting for all your values that you want to insert into the database.

See the Security Guide for more security risks and how to avoid them. Note that even if you are not using PHP, the basic ideas for the security are same and this should get you in a better position about security considerations.

Sarfraz  2010-02-16 04:34:26
A: 

ASP.NET has a feature called Request Validation that will prevent unencoded HTML from being processed by the server. For extra protection, one can use the AntiXSS library.

cxfx  2010-02-16 04:40:07
is he under asp? how did you know that?
Sarfraz  2010-02-16 04:43:09
if request validation is ON than asp.net throws a yellow page which is not a best approach. Either use some library to handle XSS or write your own.
Adeel  2010-02-16 04:44:25
Don't know, we've got ASP.NET and PHP covered, what are the odds he's using Cold Fusion... :)
cxfx  2010-02-16 04:46:25
@Adeel yes, if a suspicious request is detected a HttpRequestValidationException is thrown. This is great because you've then got the option to log it and take appropriate action, without it passing unnoticed. You'll only get a YSOD if you're not handling your exceptions or using custom error pages.
cxfx  2010-02-16 04:50:10
A: 

you can prevent script injection by encoding html content like

Server.HtmlEncode(input)

Adeel  2010-02-16 04:41:27
A: 

There is the OWASP EASPI too.

mlaverd  2010-02-16 05:13:27
+1  A: 
mar  2010-02-16 05:22:31
+1  A: 

Probably the best reference for this is at the OWASP XSS Prevention Cheat Sheet

Cheekysoft  2010-02-16 12:34:36

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security