6. Type of Attack
Cross-site Scripting / XSS Flaws
SQL Injection
Buffer Overflow
DirectoryTraversal
Error message interception attack
Web.config
and etc
7. Cross-site Scripting / XSS Flaws
Typically found in web applications which allow
code injection by malicious users into the web
pages viewed by other users.
JavaScript is commonly used.
During an attack "everything looks fine" to the
end-user.
<script> </script>
Countermeasure :
Validate all your sources.
Filtering script output.
8. SQL Injection
SQL to manipulate database’s data
Execute from address bar, queries /
searches.
SELECT fieldlist FROM table
WHERE field = '$EMAIL';
SELECT fieldlist FROM table
WHERE field = 'anything' OR
'x'='x';
Countermeasure:
Check user input.
Validate and sanitize user input that
passed to database.
9. Buffer Overflow
Where a process stores data in a buffer
outside the memory the programmer set
aside for it.
Countermeasure:
Validate input length.
Check and pay extra care on loop function which
carry data.
10. Directory Traversal
Attacker able to browse directories
and files.
Expose the directory structure of
application and often the underlying
web server and operating system.
Eg. “../Images/logo.gif”
Countermeasure:
Define access right to the protected area
Apply checks/hot fixes
Update web server with patches in timely
manner
11. Error Message Attack
Based on error message that show.
Example:
Your password is incorrect.
Connecting to the database on ……. With …..is not
unsuccessful.
Countermeasure:
Modify and display common error message.
12. Web.config
Connection String Information
Example:
Data Source=190.190.200.100,1433;Network
Library=DBMSSOCN;Initial
Catalog=myDataBase;User
ID=myUsername;Password=myPassword;
Countermeasure:
Encrypt your web.config.
aspnet_regiis.exe -pef "connectionStrings
Name" "C:InetpubwwwrootMySite" –prov
"DataProtectionConfigurationProvider”