Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Five Tips for Thwarting Data Input Attacks Against Your Web App  : Page 2

The Web is a battleground where data input attacks are a real danger. Michael Howard illustrates how attackers can gain access to your Web apps and how best to stop them.


advertisement
Tip 1—Tell the Attacker Nothing
Don't return errors that include the text of the failed SQL attempts. Internet Information Services returns a 500-100 error message by default when a scripting error occurs, but returning errors that do not include debugging text is sometimes better. For example, I entered some bogus names and passwords and received error messages like this:

Error Type: Microsoft JET Database Engine (0x80040E14) Syntax error (missing operator) in query expression
'(name='x' or 1) or ('1') and (pwd=''p')'. /login.asp, line 24

As you can see, part of the SQL syntax is returned, which can help an attacker determine how to correctly construct the name and password to create a bogus yet valid expression.

The simplest way to reduce the amount of information returned is to modify the %winnt%\help\iisHelp\500-100.asp page, or create a new file and configure IIS to use the new file for 500.100 errors. You can achieve this by performing these steps:

  1. Open the IIS admin tool.
  2. Right click the Web server in question.
  3. Select Properties.
  4. Click the Custom Errors tab.
  5. Enter the new filename for your custom 500.100 error page.
While we're on the subject, never return error messages that include physical locations in the error. For example, presenting a message like this "Unable to find foo.doc at c:\wwwroot\secretlocation" is a bad idea. A simple 404 will suffice.


Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap