Entries by AppSec Labs

Setting Session Timeout – ASP.NET

Method #1 in web.config  Add the following codes in web.config (In this example it is the timeout set for 15 minutes. Method #2 in Global.asax Add the following lines to  Session_Start event of Global.asax References http://msdn.microsoft.com/en-us/library/ms525473(v=VS.90).aspx

Setting Session Timeout – Java

Method#1 In servlet call getMaxInactiveInterval method with session object. (In this example, session time out is set for 900 seconds.) Method#2 Set timeout through web.xml (Here 10 minute is the time out .) Reference http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/api…

Session Timeout

Description Session timeouts are a protection mechanism for users who leave their computer unattended, or who walk away from a shared computer without logging out of an application. After the timeout period, the user has to log in again. This is somewhat like a password-protected screen saver which starts after a number of minutes of […]

SQLi – PHP Secure Coding

Method #1 Escaping special characters in a string for use in an SQL statement Method #2 Using prepared statements and parameterized queries: Case #1 While connecting to database Case #2 While retrieving data Case #3 While inserting This technique can also be applied in case of update and delete. References http://php.net/manual/en/security.database.sql-injection.php http://php.net/manual/en/function.mysql-real-escape-string.php http://php.net/manual/en/book.pdo.php

SQLi – ASP.NET Secure Coding

Using Paramaterized Query/Prepared Statement The use of parameterized stored procedures is an effective mechanism to avoid most forms of SQL Injection. Parameterized queries do proper substitution of arguments prior to running the SQL query. They completely remove the possibility of “dirty” input changing the meaning of your query. References https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet http://msdn.microsoft.com/en-us/library/ff648339.aspx

SQLi – JAVA Secure Coding

Use PreparedStatement instead of dynamic queries. All data access techniques provide some means for escaping SQL meta-characters automatically. Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver. References https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java https://www.java.net/node/678819 http://download.oracle.com/oll/tutorials/SQLInjection/index.htm

SQL Injection

Description A SQL injection (SQLi) attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a […]

Cross Site Request Forgery (CSRF/XSRF)

Description Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf, like change the victim’s e-mail address, home address, or […]

Anti CSRF Token – PHP

  1. Add a unique token to the hidden field of user form on submit and store it on the session. Add the following codes to achieve this. 2. Before processing, validate the token on serverside. 3. The validity of token can also be limited References https://www.owasp.org/index.php/PHP_CSRF_Guard

Anti CSRF Token – JAVA

Using OWASP ESAPI Download OWASP ESAPI Library from the ESAPI project page and add it to the library of the project. Generate a new CSRF token and add it to user login and store user in HTTP session. 3. Add the token as a parameter / hidden field, on any forms or URLs that should be protected. 4. […]