9/14/2007

Web Security - XSS and SQL Injection

============================================================
XSS/CSS(Cross Site Scripting)

XSS lies in the fact that web application can receive user input data and send them to client browsers to render it. Since web browser can execute javascript, theoretically, web application user can write code that could be executed on other users' client machines - this is the root cause of all XSS attacks.

How to get user input script code run in other users' browsers?
1. js url protocol - use "javascript://your_script_code_here" as link destination
2. script tag - use plain script blocks:
3. element event - use "onload=your_script_here" like code in html docs

What's the potential harms of XSS?
1. Cookie theft, XSS code can be "document.cookie"
2. Session cheat, use user's cookie data to access original site's service as a legal and logged in user
3. Phishing, lead user browser to access unintensional web urls

How to avoid XSS attack?
1. Restrict data format of user input value, do client/server side checking/validating
2. Do HTML encoding/escaping/filtering before writing strings to http response as web page content to client browser
3. Bind session with user IP
4. Disable script execution, safe but will limit the functionalities of web application

[Reference]
XSS FAQ and a chs version

XSS cheat sheet

Perl&XSS

XSS online tool

Case Studies (1, 2)

============================================================

Sql Injection

Sql Injection is a web attacking technique, in which attackers write sql codes into user input value, and wich will be used by application(most likely, web based) logic to execute sql statement in databases. The result is that attacker can write code to be executed by your DBMS. This may change your application logic(bypass authentication), harm your data(drop tables) and expose critical information(dump server file to client).

The basic practices to solve this problem are:
1. Check/Validate user input data, trim dangerous content
2. Prefer sql parameter and store procedure rather than dynamically composing sql statement literally
3. Grant minimal permission to web application account in DBMS
4. Avoid disclosing database error information

SQL Server Book Online - SQL Injection

ASP.Net Best Practices - Protect from SQL Injection

Practices to Avoid SQL Injection

Web App Security - best practices from Microsoft

Case Studies (1, 2, 3)

SQL Injection Cheat Sheet

============================================================

General Web Security Reference

http://www.webhackingexposed.com/tools.html

http://www.cgisecurity.com

Sql Security

============================================================

9/01/2007

Internet Explorer and Its HTTP Connection Limits

  Many web developers had discussed the IE client connection problem. Microsoft IE team blog had posted an related article titled: "Internet Explorer and Connection Limits" to explain their considerations behind this design. OpenAjax also has an article titled: HTTP connection limitation on AJAX to discuss this limitation's impact on Ajax applications.

  According to IE team's blog, the main reasoning behind is:
  "It turns out that this is a case where IE strictly follows the standards-- in this case, RFC2616, which covers HTTP1.1. As noted in the RFC:

  Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy."


  In order to improve the web application performance, you can do something at both the server and client side.

  For client side, you can change this limitation by edit the system registry:
  under the regkey "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings", add/change the following two DWORD values:

  MaxConnectionsPerServer REG_DWORD (Default 2)
  Sets the number of simultaneous requests to a single HTTP 1.1 Server

  MaxConnectionsPer1_0Server REG_DWORD (Default 4)
  Sets the number of simultaneous requests to a single HTTP 1.0 Server

  In IE5 or later, it is also possible to change the connection limit programmatically by calling the InternetSetOption function on NULL handle with the following flags (note that it will change connection limit for the whole process):
INTERNET_OPTION_MAX_CONNS_PER_SERVER INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER.

  For server side, since IE treats hostname as server, not IP address, so a.yourname.com and b.yourname.com are different servers in IE's perspective. So you can use sub-domain to let user relief the 2 connection limits even if they are browsing your web site using IE.

  Here are some useful server side programming tips regarding the browser connection limits:
  1. Circumventing browser connection limits for fun and profit
  2. Improving web performance by distributing images among hostnames

  But for IE8, here are some good news for server side performance tuning developers:
  1. IE8: The Performance Implications
  2. Testing IE8’s Connection Parallelism
  3. Connectivity Enhancements in Internet Explorer 8
  4. Internet Explorer 8 and Maximum Concurrent Connections