One of the most effective methods of preventing SQL injection from being used is to thoroughly validate every input from the user, by identifying all possible meta-characters which could be utilized by the database system and filtering them out. Filters should be in place to remove everything but known good data. An account lockout policy should also be in place to prevent the brute force guessing of passwords. Acunetix Vulnerability Scanners can help.
All validation for security purposes must be carried out within the server side script and not thorough client side authentication - such as JavaScript - as it can easily be bypassed by the user disabling JavaScript in their browser. When dealing with a numeric input, such as age, telephone number or credit/debit card number the value of the variable should be processed through a specially constructed function to ensure that the data only comprises of numeric characters (and possibly spaces). Similar functions can be constructed to handle other data types such as Dates, Integers and Floats. Alternatively, for some numeric fields such as integers or dates the input method could be through the use of a drop-down selection box. If the input is selected from a dropdown box it would be generated by the source code and no validation will be necessary.
In December 2006, University of Colorado, Boulder experienced a hack attack that resulted in the theft of thousands of names and social security numbers - a total of 17,500 records were compromised. University of Texas, Dallas, reported in December 2006 that the data of 35,000 individuals (current students and alumni) was compromised. Social security numbers were exposed, according to the Privacy Clearing House.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%.
One line of defense includes the Restriction of Error Messages. Error messages are normally generated in HTML which an attacker will be able to view. The details of all error messages should be logged in database or file on the server and displayed through a dynamically produced error page. It is important to have the proper website security when you have your own business online. Using a vulnerability scanner is a smart idea. Don't forget to have your site scanned with an Acunetix Vulnerability Scanner.
All validation for security purposes must be carried out within the server side script and not thorough client side authentication - such as JavaScript - as it can easily be bypassed by the user disabling JavaScript in their browser. When dealing with a numeric input, such as age, telephone number or credit/debit card number the value of the variable should be processed through a specially constructed function to ensure that the data only comprises of numeric characters (and possibly spaces). Similar functions can be constructed to handle other data types such as Dates, Integers and Floats. Alternatively, for some numeric fields such as integers or dates the input method could be through the use of a drop-down selection box. If the input is selected from a dropdown box it would be generated by the source code and no validation will be necessary.
In December 2006, University of Colorado, Boulder experienced a hack attack that resulted in the theft of thousands of names and social security numbers - a total of 17,500 records were compromised. University of Texas, Dallas, reported in December 2006 that the data of 35,000 individuals (current students and alumni) was compromised. Social security numbers were exposed, according to the Privacy Clearing House.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%.
One line of defense includes the Restriction of Error Messages. Error messages are normally generated in HTML which an attacker will be able to view. The details of all error messages should be logged in database or file on the server and displayed through a dynamically produced error page. It is important to have the proper website security when you have your own business online. Using a vulnerability scanner is a smart idea. Don't forget to have your site scanned with an Acunetix Vulnerability Scanner.
About the Author:
Looking to find the best deal on Acunetix Vulnerability Scanners, then visit www.trust-guard.com to find the best advice on Acunetix for you.
No comments:
Post a Comment