Databases
StackOverflow2013
Postsdbo
POweb application attacks and must have defence methods
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POweb application attacks and must have defence methods
    primarykey
    data
    text
    <p>What is your must have defence methods to common web attacks like <strong>XSS</strong>, <strong>Sql Injection</strong>, <strong>Denial of Service</strong>, etc. ?</p> <p><strong>Edit :</strong> I collected your responses under descriptions from <a href="http://en.wikipedia.org/" rel="nofollow noreferrer">Wikipedia</a>. And I add some extra questions to have a complete reference.</p> <blockquote> <p><strong>Sql Injection</strong> </p> <p>SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.</p> </blockquote> <ul> <li>Do not trust user input and validate it as early as possible.</li> <li>Don't build SQL from raw user input - use parameters instead.</li> </ul> <blockquote> <p><strong>Cross Site Scripting (XSS)</strong></p> <p>Cross-site scripting is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.</p> </blockquote> <ul> <li>Never output or execute user-submitted content verbatim. </li> <li>HTML-encode all output.</li> </ul> <blockquote> <p><strong>A denial-of-service attack</strong></p> <p>A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.</p> </blockquote> <p>I know it seems impossible to avoid denial-of-service attacks programmatically, but what you think ?</p> <blockquote> <p><strong>Brute Force Attacks</strong></p> <p>In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out.</p> </blockquote> <ul> <li>Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.</li> <li>Add a delay when the password typed in is wrong.</li> </ul> <p><strong>Some extra questions :</strong> </p> <ul> <li><p>What do you think about web robots that try to post inputs according to your content ? For example SO is using an image validation.</p></li> <li><p>What do you think about javascript <strong>eval</strong> function ?</p></li> <li><p>Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it.</p></li> </ul> <p>(<strong>NOTE :</strong> Directory listing is disabled and I host this files.)</p> <p>Thanks for the replies !</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCanavar
    1. USCanavar
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POweb application attacks and must have defence methods
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POweb application attacks and must have defence methods
      1. USBill the Lizard
      1. VTFavorite
    3. VO
      singulars
      1. POweb application attacks and must have defence methods
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload