RE: Current Project Design, Comments?

I do not use query strings, data is passed between pages via the "code behind model" or the ViewState mechanism in ASP.NET, or via my custom session variables.

-----Original Message-----
From: Logan F.D. Greenlee [mailto:lgreenlee@ciretose.net] Sent: Friday, February 14, 2003 4:30 PM
To: Brass, Phil (ISS Atlanta); Michael Loll; webappsec@securityfocus.com Subject: RE: Current Project Design, Comments?

        In most cases one should not use query strings in ASP.NET. Critical information such as account ID, or user information should be stored in the users session. Most frequently this is a user object. The aspx forms are then responsible for retrieving them from the user's session. By doing this query string based attacks are mitigated. The "code behind model" helps to reinforce this model. By using form post back all variables are held in the form state.

_logan

-----Original Message-----
From: Brass, Phil (ISS Atlanta) [mailto:PBrass@iss.net] Sent: Friday, February 14, 2003 4:12 PM
To: Michael Loll; webappsec@securityfocus.com Subject: RE: Current Project Design, Comments?

In addition to SQL injection, it sounds like you need to consider row-level security. Imagine you have a form target view_account.asp?acct_id=10107. Let's say I'm allowed to view account 10107, but Michael isn't. If acct_id's are relatively predictable (and this kind of ID is typically a sequential ID generated by database), then Michael might request view_account.asp?acct_id=10107. Or he might even write a script to request all account IDs and see what he gets.

Also, I note that you made no mention of how you plan on keeping session state - i.e. when a new request comes in, how do you know if the user has already logged in or not, who the user is, etc.? IIS session object? A custom session ID?

Phil

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> -----Original Message-----
Received on Fri Feb 14 16:41:29 2003