|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Current Project Design, Comments?
Date: Fri Feb 14 2003 - 16:30:29 EST
In most cases one should not use query strings in ASP.NET. Critical information such as account ID, or user information should be stored in the users session. Most frequently this is a user object. The aspx forms are then responsible for retrieving them from the user's session. By doing this query string based attacks are mitigated. The "code behind model" helps to reinforce this model. By using form post back all variables are held in the form state.
_logan
-----Original Message-----
From: Brass, Phil (ISS Atlanta) [mailto:PBrass@iss.net]
Sent: Friday, February 14, 2003 4:12 PM
To: Michael Loll; webappsec@securityfocus.com
Subject: RE: Current Project Design, Comments?
In addition to SQL injection, it sounds like you need to consider row-level security. Imagine you have a form target view_account.asp?acct_id=10107. Let's say I'm allowed to view account 10107, but Michael isn't. If acct_id's are relatively predictable (and this kind of ID is typically a sequential ID generated by database), then Michael might request view_account.asp?acct_id=10107. Or he might even write a script to request all account IDs and see what he gets.
Also, I note that you made no mention of how you plan on keeping session state - i.e. when a new request comes in, how do you know if the user has already logged in or not, who the user is, etc.? IIS session object? A custom session ID?
Phil
> -----Original Message-----
Received on Fri Feb 14 16:41:04 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |