StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
133427
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2008-09-25T13:43:47.880
FavoriteCount
0
LastActivityDate
2013-02-13T11:01:46.870
LastEditDate
2013-02-13T11:01:46.870
LastEditorUserId
7211
OwnerUserId
7211
ParentId
132134
PostTypeId
2
Score
11
ViewCount
0
LastEditorDisplayName
text
Body
<p>That's a stunningly thought-provoking question, and I'm surprised that you haven't received better answers. </p> <h2>Summary</h2> <p>Everything you would do for an external-facing application, and then some. </p> <h2>Thought Process</h2> <p>If I'm understanding you correctly, then you are asking a question which <em>very</em> few developers are asking themselves. Most companies have poor defence in depth, and once an attacker is in, he's in. Clearly you want to take it up a level. </p> <p>So, what kind of attack are we thinking about?<br> If I'm the attacker and I'm attacking your intranet application, then I must have got access to your network somehow. This may not be as difficult as it sounds - I might try spearphishing (targetting email to individuals in your organisation, containing either malware attachements or links to sites which install malware) to get a trojan installed on an internal machine. </p> <p>Once I've done this (and got control of an internal PC), I'll try all the same attacks I would try against any internet application. </p> <p>However, that's not the end of the story. I've got more options: if I've got one of your user's PCs, then I might well be able to use a keylogger to gather usernames and passwords, as well as watching all your email for names and phone numbers.<br> Armed with these, I may be able to log into your application directly. I may even learn an admin username/password. Even if I don't, a list of names and phone numbers along with a feel for company lingo gives me a decent shot at socially engineering my way into wider access within your company. </p> <h2>Recommendations</h2> <ul> <li>First and foremost, before all technical solutions: <strong>TRAIN YOUR USERS IN SECURITY</strong></li> </ul> <p>The common answers to securing a web app: </p> <ul> <li>Use multi-factor authentication <ul> <li>e.g. username/password and some kind of pseudo-random number gadget. </li> </ul></li> <li>Sanitise all your input. <ul> <li>to protect against cross-site scripting and SQL injection. </li> </ul></li> <li>Use SSL (otherwise known as HTTPS). <ul> <li>this is a pain to set up (EDIT: actually that's improving), but it makes for much better security. </li> </ul></li> <li>Adhere to the principals of "Segregation of Duties" and "Least Priviledge" <ul> <li>In other words, by ensuring that all users have only the permissions they need to do their jobs (and nobody else's jobs) you make sure they have the absolute minimum ability to do damage.</li> </ul></li> </ul>
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POPHP - Security what is best way?
  singulars
  PostTypePostTypeId
  PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USAJ.
UserOwnerUserId
1. USAJ.
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POPHP - Security what is best way?
  singulars
  PostTypePostTypeId
  PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
2. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTAcceptedByOriginator
3. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.