Hosting Provided By

RE: Current Project Design, Comments?

From: Brass, Phil (ISS Atlanta) <PBrass(at)iss.net>
Date: Fri Feb 14 2003 - 16:12:17 EST

In addition to SQL injection, it sounds like you need to consider row-level security. Imagine you have a form target view_account.asp?acct_id=10107. Let's say I'm allowed to view account 10107, but Michael isn't. If acct_id's are relatively predictable (and this kind of ID is typically a sequential ID generated by database), then Michael might request view_account.asp?acct_id=10107. Or he might even write a script to request all account IDs and see what he gets.

Also, I note that you made no mention of how you plan on keeping session state - i.e. when a new request comes in, how do you know if the user has already logged in or not, who the user is, etc.? IIS session object? A custom session ID?

Phil

> -----Original Message-----
> From: Michael Loll [mailto:mloll@pointetech.com]
> Sent: Friday, February 14, 2003 3:26 PM
Received on Fri Feb 14 16:16:12 2003

This message: [ Message body ]
Next message: Michael Loll: "RE: Current Project Design, Comments?"
Previous message: Kevin Spett: "Re: Current Project Design, Comments?"
Maybe in reply to: Michael Loll: "Current Project Design, Comments?"
In reply to Jason Benson: "RE: SQL Injection Basics"
Reply: Logan F.D. Greenlee: "RE: Current Project Design, Comments?"
Reply: Michael Loll: "RE: Current Project Design, Comments?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT