Title Index
Recently Changed
Page Hierarchy
Incomplete
Tags
SQL Injection
All data in the DiaWEB application is treated as native object via Linq to SQL. Through the use of this technique, all potential SQL Injection points have been eliminated because there is not any native SQL to exploit.
Cross-Site Scripting (XSS)
XSS vulnerability has been mitigated through the use of the HTMLEncode, URLEncode, or XMLEncode functions on all application output.
Session State Defense and general measures for preventing replay, session hijacking, tampering, and other similar attacks.
- Session identifiers are not accepted in GET/POST variables, only session cookies. It is recommended that the site have SSL enabled to encrypt the cookie over the wire.
- Session cookies are protected with the HTTPOnly attribute to prevent the cookie from being accessed, modified,or copied using javascript.
- A new Session ID is generated on every login.
- The authorization token name is validated against the session on each request to confirm that the authorization token has not changed without going through the proper authorization routine.
- An anti-forgery token is created on every request and validated on every post.