knowledgebase sub-category

Clickjacking protection in IIS7

/2 Comments/in /by

Configure IIS to prevent Clickjacking

Follow the steps to do this

  • Open Internet Information Services (IIS) Manager.
  • In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  • Double-click the HTTP Response Headers icon in the feature list in the middle.
  • In the Actions pane on the right side, click Add.
  • In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  • Click OK to save your changes.
References

http://support.microsoft.com/kb/2694329

Prevention of Web Page Caching – PHP

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached

header('Cache-Control: no-cache, no-store, must-revalidate');
header('Pragma: no-cache'); 
header('Expires: 0');

Reference

http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Man…(OWASP-AT-007)

Prevention of Web Page Caching – JAVA

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);

Reference

https://weblogs.java.net/blog/swchan2/archive/2013/08/29/when-httpsessio…

Prevention of Web Page Caching – ASP.NET

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached:

Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate");
Response.AppendHeader("Pragma", "no-cache"); 
Response.AppendHeader("Expires", "0");

Reference

http://support.microsoft.com/kb/234067
http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
http://msdn.microsoft.com/en-us/library/ms178606(v=vs.100).aspx
http://support.microsoft.com/kb/q222064

Setting Session Timeout – Apache

/0 Comments/in /by

Method#1 In php.ini file

Add the following code in php.ini file

session.gc_maxlifetime = 1000;

Method#2 Using .htaccess

Add the following line in .htaccess

ini_set( 'session.gc_maxlifetime' , 1000);

Method#3 In httpd.conf file

Add the line in httpd.conf file

Timeout 1000

(The digit denotes the number of second)

Reference

http://php.net/manual/en/ref.session.php

Setting Session Timeout – ASP.NET

/0 Comments/in /by

Method #1 in web.config 

Add the following codes in web.config (In this example it is the timeout set for 15 minutes.

 <system.web>
    <sessionState timeout="15">
    </sessionState>
 </system.web>

Method #2 in Global.asax

Add the following lines to  Session_Start event of Global.asax

void Session_Start(object sender, EventArgs e)
{
   Session.Timeout = 15;
}

References

http://msdn.microsoft.com/en-us/library/ms525473(v=VS.90).aspx

Setting Session Timeout – Java

/0 Comments/in /by

Method#1

In servlet call getMaxInactiveInterval method with session object.

HttpSession session = request.getSession();
session.setMaxInactiveInterval(900);

(In this example, session time out is set for 900 seconds.)

Method#2

Set timeout through web.xml

<session-config>
  <session-timeout>10</session-timeout>
</session-config>

(Here 10 minute is the time out .)

Reference

http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/api…

SQLi – PHP Secure Coding

/0 Comments/in /by

Method #1
Escaping special characters in a string for use in an SQL statement

<?php
  $name = mysql_real_escape_string( $_POST[‘name’] );
  $pwd  = mysql_real_escape_string( $_POST[‘pwd’] );
 
  $str_sql = "SELECT * from `tbl_users` WHERE " .
             "usr_name=’" . $name . "’ AND " .
             "usr_pwd=’" . $pwd . "’";
 
  $result = mysql_query( $str_sql ) or die ( mysql_error() );
?>

Method #2
Using prepared statements and parameterized queries:

Case #1
While connecting to database

<?php
  $pdo = new PDO('mysql:dbname=db;host=127.0.0.1;charset=utf8', 'username', 'password');

  $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>

Case #2
While retrieving data

<?php
  $stmt = $pdo->prepare('SELECT * FROM tables WHERE name = :name');
  $stmt->execute(array(':name' => $name));
  foreach ($stmt as $row) {
      echo $row[0];
  }
?>

Case #3
While inserting

<?php
   $preparedStatement = $pdo->prepare('INSERT INTO table (column) VALUES (:column)');
   $preparedStatement->execute(array(':column' => $unsafeValue));
?>

This technique can also be applied in case of update and delete.

References
http://php.net/manual/en/security.database.sql-injection.php
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/book.pdo.php

SQLi – ASP.NET Secure Coding

/0 Comments/in /by

Using Paramaterized Query/Prepared Statement

The use of parameterized stored procedures is an effective mechanism to avoid most forms of SQL Injection. Parameterized queries do proper substitution of arguments prior to running the SQL query. They completely remove the possibility of “dirty” input changing the meaning of your query.

// Build the query statement using parameterized query.

string sql = "SELECT UserId FROM Users WHERE " + "UserName = @UserName AND Password =@Password";
using (SqlCommand cmd = new SqlCommand(sql))
{   
    // Create the parameter objects as specific as possible.  
    cmd.Parameters.Add("@UserName", System.Data.SqlDbType.NVarChar, 50);   
    cmd.Parameters.Add("@Password", System.Data.SqlDbType.NVarChar, 25);
   
    // Add the parameter values.  Validation should have already happened. 
    cmd.Parameters["@UserName"].Value = UserName; 
    cmd.Parameters["@Password"].Value = Password;  
    cmd.Connection = connnection; 
    try
    {    
       cmd.Connection.Open();    
       var userId = cmd.ExecuteScalar();   
    }  
    catch (SqlException sx)   
    {    
       // Handle exceptions before moving on. 
    }
}

References
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://msdn.microsoft.com/en-us/library/ff648339.aspx

SQLi – JAVA Secure Coding

/0 Comments/in /by

Use PreparedStatement instead of dynamic queries.

All data access techniques provide some means for escaping SQL meta-characters automatically.
Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.

String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();

References
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
https://www.java.net/node/678819
http://download.oracle.com/oll/tutorials/SQLInjection/index.htm