Learning to write secure ASP script, free ebook download on programming asp from Free ITebooks

Free Ebook Computer Programming

Free Ebook Computer Programming :
Writing Secure ASP Scripts.pdf
Publisher :
Unknown
Pages :17
Format :pdf
Size :0.1 MB
Upload date :12-07-05

Table of content

Coming soon

Other HOT and Free ebooks!!

Coming Soon

This paper briefly describes several common classes of coding error generally encountered when auditing web applications running on the Active Server Pages (ASP) platform.

The paper is broken down into three broad sections, each of which addresses several common coding problems. The following is a list of the common errors that are discussed in this document, divided into three broad categories. The remainder of the document deals with each of these problems in turn. Any ASP code samples assume that the default language is VBScript, but all of the points apply equally to JavaScript. Equally, all occurrences of the SQL language assume that Microsoft SQL Server is being used as the back - end database.

Free Ebook on ASP Programming : Writing Secure ASP Scripts.pdf

Predictability and secure management of state

Web applications typically requite some way of maintaining the 'state' of a user's interaction with the application. This can manifest itself in a number of ways, and if handled poorly, is open to abuse by attackers.

Poor randomness
Applications generally have some requirement for randomness. The application may have to generate its own session identifiers, for example, or it might have to create some kind of random password.

Most 'random' number generators build into languages and libraries are based upon arithmetic 'pseudo' random number generators. A problem frequently exhibited by these generators is that they issue repeating sequences. Another common problem is that of seeding with predictable data, such as a tick count, an IP address or hostname.......more

An attacker is very likely to be able to guess the time at the server, even to millisecond resolution; often it is contained in web responses. The ICMP timestamp request is another method of obtaining the time at the server.

Predictable session identifiers
Some applications use monotonically increasing session identifiers (i.e. the first id is 1, the second 2 and so on). Some applications use the primary key of a table in a database; again, this is extremely weak and quite easy to guess, given a single valid identifier.

The reason why predictable session identifiers must be avoided is that knowledge of the session id typically grants access to the application. Once a user has passed the 'authentication' phase of an application, the session identifier is the only way the application has of verifying who is who.

Consequently, if an attacker can guess the session id of a user who is currently authenticated with the application, they will be able to interact with the application as though they were that user.

Session state manipulation bugs
This is a subtle class of problem that exploits the manipulation of the state of an application

MAIN Home What's New Links Free Programming Tutorials Free Network Tools Software Download IPOD Tools Linux Products Multimedia Tools PHP Resources Portable Software FREE EBOOK Oreilly Free Ebooks Free ebook : ASP, ASP.NET Free ebook : C, C++, C# (C Sharp) Free ebook : Flash Free Ebook : Java Free Ebook : Javascript Free ebook : Linux Free ebook : Oracle Free ebook : PHP & MySQL Free ebook : Python Free ebook : Visual Basic & Visual Basic.NET Free ebook : Web Design, Web Programming, Web Development Related Free ebook : Office, Word Processor, Spreadsheet & Related Other Free Computer and Programming Ebook Other Free Ebooks FREE EBOOK CHAPTER/SAMPLE Java ebooks General .NET ebooks C /C++ /C# ebooks Visual Basic/ Visual Basic.NET ebooks Oracle ebooks PHP/MySQL ebooks Free Web Design/ Development ebooks chapter System Administration/ Networking/ Wireless ebooks Technology ebooks FREE MAGAZINE Free Computer Magazine Free Internet Magazine Free Information Technology Magazine Free Multimedia Magazine Free Network Magazine Free Telecommunication & Wireless Magazine	Free Programming E-Books Free download ebooks on computer and programming
	Free Ebook Computer Programming Free Ebook Computer Programming : Writing Secure ASP Scripts.pdf Publisher : Unknown Pages :17 Format :pdf Size :0.1 MB Upload date :12-07-05 Table of content Coming soon Other HOT and Free ebooks!! Coming Soon This paper briefly describes several common classes of coding error generally encountered when auditing web applications running on the Active Server Pages (ASP) platform. The paper is broken down into three broad sections, each of which addresses several common coding problems. The following is a list of the common errors that are discussed in this document, divided into three broad categories. The remainder of the document deals with each of these problems in turn. Any ASP code samples assume that the default language is VBScript, but all of the points apply equally to JavaScript. Equally, all occurrences of the SQL language assume that Microsoft SQL Server is being used as the back - end database. Free Ebook on ASP Programming : Writing Secure ASP Scripts.pdf Predictability and secure management of state Web applications typically requite some way of maintaining the 'state' of a user's interaction with the application. This can manifest itself in a number of ways, and if handled poorly, is open to abuse by attackers. Poor randomness Applications generally have some requirement for randomness. The application may have to generate its own session identifiers, for example, or it might have to create some kind of random password. Most 'random' number generators build into languages and libraries are based upon arithmetic 'pseudo' random number generators. A problem frequently exhibited by these generators is that they issue repeating sequences. Another common problem is that of seeding with predictable data, such as a tick count, an IP address or hostname.......more Download free ebook : Writing_Secure_ASP_Scripts.pdf Learn How to write secure script in asp Previous free ebook Previous part of free ebook Next free ebook Next part of free ebook Some applications pick data that is not at all random for supposedly 'random' numbers. For example, it is common to use the current time, measured in seconds, as the 'secret', combine it with (say) the userid and then pass it through a hashing function such as MD5 or SHA1. The problem here is that there are only 3600 seconds in an hour. It is within the realms of possibility that an attacker can generate 3600 requests in the time that a user's session exists on the server, given that most web servers can comfortably handle several thousand requests per second. A crucial point is that hashing the data doesn't help, or more precisely, hashing a value doesn't change the amount of entropy it contains. If there is only a small amount of 'randomness' input, only a small amount of 'randomness' will be output. Competent attackers have access to session id generation code for a variety of platforms, and there are only a small number of cryptographically 'strong' hashing functions in existence. In essence, hashing doesn't win you much. An attacker is very likely to be able to guess the time at the server, even to millisecond resolution; often it is contained in web responses. The ICMP timestamp request is another method of obtaining the time at the server. Predictable session identifiers Some applications use monotonically increasing session identifiers (i.e. the first id is 1, the second 2 and so on). Some applications use the primary key of a table in a database; again, this is extremely weak and quite easy to guess, given a single valid identifier. The reason why predictable session identifiers must be avoided is that knowledge of the session id typically grants access to the application. Once a user has passed the 'authentication' phase of an application, the session identifier is the only way the application has of verifying who is who. Consequently, if an attacker can guess the session id of a user who is currently authenticated with the application, they will be able to interact with the application as though they were that user. Session state manipulation bugs This is a subtle class of problem that exploits the manipulation of the state of an application Top