Web applications are at great risks due to the fact that most applications are widely available to anyone with internet access. They often get compromised by script exploits.
Most script exploits require the application to accept malicious input and inject it into a page where it will be executed on the server or in the client browser. The potential damage from such an exploit depends on the script that is being executed (taking over a system, install malware, deleting data...)
The primary defense against script exploit is to never trust the information obtained from users. This apply to both incoming and outgoing data from users (data written to and data pulled from database).
There are many things a developer can do to protect application against script exploits. Data input by users should always be validated. Form elements should be HTML-encoded. Dynamic SQL might be flexible but yet it can compromise your data. Consider parameterized query against SQL queries using string concatenation.
In this simple example:
"Select * From Customers where LastName = " & txtLastName.Value
A malicious user who knows a something about database could turn that SQL statement into:
Select * From Customers Where LastName = 'a'; Delete From Customers Where LastName > ''
And when it gets executed, the database is compromised.
It is very important to understand how users and their data interact with your application. That way you can better protect your data, application and users from script exploits.
For more information on how to protect your web application see Basic Security Practices for Web Applications.
Showing posts with label Scripting. Show all posts
Showing posts with label Scripting. Show all posts
Monday, August 13, 2007
Friday, June 8, 2007
File System Object
The FileSystemObject object library, which is part of the Microsoft Scripting Runtime library (Scrrun.dll) provides an object-oriented approach to directories & files manipulation. For instance, system folder creation and deletion is one common task your code will need to perform. Naturally, before you attempt to either create or delete a folder, your procedure will want to determine if it exists. The FileSystemObject library provides the perfect solution.
First, you'll need to set a project reference to the Scrrun.dll. The FileSystemObject is the top-level object within the file hierarchy, and you create an instance of it just like you would with any other object variable:
VB6
Set oFSO = New Scripting.FileSystemObject
ASP
Set oFSO = Server.CreateObject("Scripting.FileSystemObject")
The FolderExists() method returns True if the folder exists and False if not. The CreateFolder() and DeleteFolder() methods create and delete folders respectively. All three of these methods require the full path to the folder in question. The following code shows how to use these methods (assuming you've set a reference to the Microsoft Scripting Runtime library):
If Not oFSO.FolderExists("C:\Test") Then
Call oFSO.CreateFolder "C:\Test"
End If
Call oFSO.DeleteFolder "C:\Test"
Set oFSO = Nothing
First, you'll need to set a project reference to the Scrrun.dll. The FileSystemObject is the top-level object within the file hierarchy, and you create an instance of it just like you would with any other object variable:
VB6
Set oFSO = New Scripting.FileSystemObject
ASP
Set oFSO = Server.CreateObject("Scripting.FileSystemObject")
The FolderExists() method returns True if the folder exists and False if not. The CreateFolder() and DeleteFolder() methods create and delete folders respectively. All three of these methods require the full path to the folder in question. The following code shows how to use these methods (assuming you've set a reference to the Microsoft Scripting Runtime library):
If Not oFSO.FolderExists("C:\Test") Then
Call oFSO.CreateFolder "C:\Test"
End If
Call oFSO.DeleteFolder "C:\Test"
Set oFSO = Nothing
Subscribe to:
Posts (Atom)
