Prevention of Web Page Caching – ASP.NET

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached:

Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate");
Response.AppendHeader("Pragma", "no-cache"); 
Response.AppendHeader("Expires", "0");

Reference

http://support.microsoft.com/kb/234067
http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
http://msdn.microsoft.com/en-us/library/ms178606(v=vs.100).aspx
http://support.microsoft.com/kb/q222064

Web Page Caching

/0 Comments/in /by

Description

Caching improves the user browsing experience by reducing the latency time, allowing for better bandwidth usage and reduction of the web server load.
Web pages with web cache enabled can be cached in the client browser as well as in the server proxies and gateways that are part of the web traffic between the client and the web server.
When a web page is not available, a web server and/or a web proxy can serve the browser with a cached web page.
Since cache information can contain sensitive data, it has to be protected from unauthorized access. In the case of web applications, it needs to avoid caching confidential information on the user’s browser.

See how to fix it!

Read more

Setting Session Timeout – Apache

/0 Comments/in /by

Method#1 In php.ini file

Add the following code in php.ini file

session.gc_maxlifetime = 1000;

Method#2 Using .htaccess

Add the following line in .htaccess

ini_set( 'session.gc_maxlifetime' , 1000);

Method#3 In httpd.conf file

Add the line in httpd.conf file

Timeout 1000

(The digit denotes the number of second)

Reference

http://php.net/manual/en/ref.session.php

Setting Session Timeout – ASP.NET

/0 Comments/in /by

Method #1 in web.config 

Add the following codes in web.config (In this example it is the timeout set for 15 minutes.

 <system.web>
    <sessionState timeout="15">
    </sessionState>
 </system.web>

Method #2 in Global.asax

Add the following lines to  Session_Start event of Global.asax

void Session_Start(object sender, EventArgs e)
{
   Session.Timeout = 15;
}

References

http://msdn.microsoft.com/en-us/library/ms525473(v=VS.90).aspx

Setting Session Timeout – Java

/0 Comments/in /by

Method#1

In servlet call getMaxInactiveInterval method with session object.

HttpSession session = request.getSession();
session.setMaxInactiveInterval(900);

(In this example, session time out is set for 900 seconds.)

Method#2

Set timeout through web.xml

<session-config>
  <session-timeout>10</session-timeout>
</session-config>

(Here 10 minute is the time out .)

Reference

http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/api…

Session Timeout

/0 Comments/in /by

Description

Session timeouts are a protection mechanism for users who leave their computer unattended, or who walk away from a shared computer without logging out of an application.
After the timeout period, the user has to log in again. This is somewhat like a password-protected screen saver which starts after a number of minutes of inactivity on a computer.
A session timeout is an important security control for any application. It specifies the length of time that an application will allow an idle user to remain logged in before forcing the user to re-authenticate.

See how to fix it!

Read more

SQLi – PHP Secure Coding

/0 Comments/in /by

Method #1
Escaping special characters in a string for use in an SQL statement

<?php
  $name = mysql_real_escape_string( $_POST[‘name’] );
  $pwd  = mysql_real_escape_string( $_POST[‘pwd’] );
 
  $str_sql = "SELECT * from `tbl_users` WHERE " .
             "usr_name=’" . $name . "’ AND " .
             "usr_pwd=’" . $pwd . "’";
 
  $result = mysql_query( $str_sql ) or die ( mysql_error() );
?>

Method #2
Using prepared statements and parameterized queries:

Case #1
While connecting to database

<?php
  $pdo = new PDO('mysql:dbname=db;host=127.0.0.1;charset=utf8', 'username', 'password');

  $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>

Case #2
While retrieving data

<?php
  $stmt = $pdo->prepare('SELECT * FROM tables WHERE name = :name');
  $stmt->execute(array(':name' => $name));
  foreach ($stmt as $row) {
      echo $row[0];
  }
?>

Case #3
While inserting

<?php
   $preparedStatement = $pdo->prepare('INSERT INTO table (column) VALUES (:column)');
   $preparedStatement->execute(array(':column' => $unsafeValue));
?>

This technique can also be applied in case of update and delete.

References
http://php.net/manual/en/security.database.sql-injection.php
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/book.pdo.php

SQLi – ASP.NET Secure Coding

/0 Comments/in /by

Using Paramaterized Query/Prepared Statement

The use of parameterized stored procedures is an effective mechanism to avoid most forms of SQL Injection. Parameterized queries do proper substitution of arguments prior to running the SQL query. They completely remove the possibility of “dirty” input changing the meaning of your query.

// Build the query statement using parameterized query.

string sql = "SELECT UserId FROM Users WHERE " + "UserName = @UserName AND Password =@Password";
using (SqlCommand cmd = new SqlCommand(sql))
{   
    // Create the parameter objects as specific as possible.  
    cmd.Parameters.Add("@UserName", System.Data.SqlDbType.NVarChar, 50);   
    cmd.Parameters.Add("@Password", System.Data.SqlDbType.NVarChar, 25);
   
    // Add the parameter values.  Validation should have already happened. 
    cmd.Parameters["@UserName"].Value = UserName; 
    cmd.Parameters["@Password"].Value = Password;  
    cmd.Connection = connnection; 
    try
    {    
       cmd.Connection.Open();    
       var userId = cmd.ExecuteScalar();   
    }  
    catch (SqlException sx)   
    {    
       // Handle exceptions before moving on. 
    }
}

References
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://msdn.microsoft.com/en-us/library/ff648339.aspx

SQLi – JAVA Secure Coding

/0 Comments/in /by

Use PreparedStatement instead of dynamic queries.

All data access techniques provide some means for escaping SQL meta-characters automatically.
Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.

String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();

References
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
https://www.java.net/node/678819
http://download.oracle.com/oll/tutorials/SQLInjection/index.htm

SQL Injection

/1 Comment/in /by

Description

SQL injection (SQLi) attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

See how to fix it!

Read more