Secure Coding Blog

Fixing Unvalidated Redirects and Forwards in ASP.NET

Abhilash — Wed, 02 May 2012 04:01:26 +0000

The following code will allow you prevent unvalidated redirects and Fowards in ASP.NET

How to Fix Unvalidated Redirects and Forwards

Abhilash — Wed, 02 May 2012 03:59:27 +0000

An unvalidated redirect allows an attacker to exploit the trust a user has in a particular domain by using it as a stepping stone to another arbitrary, likely malicious site. An unvalidated forward allows an attacker’s request to be forwarded past security checks, allowing unauthorized function or data access. Fixing Unvalidated Redirects and Forwards in ASP.NET

Fixing Insecure Cryptographic Storage in ASP.NET

Abhilash — Wed, 02 May 2012 03:48:08 +0000

As seen below using the following code we can encrypt sensitive values such as passwords in ASP.NET

Fixing Cross-site Scripting in ASP.NET

Abhilash — Wed, 02 May 2012 03:36:11 +0000

The HtmlEncode() method can be used when displaying text directly inside HTML tags using block:

Fixing Insecure Cryptographic Storage in Java

Abhilash — Tue, 01 May 2012 05:02:02 +0000

As seen below using the following code we can encrypt sensitive values such as passwords by encrypting and then adding salt to it.

How to Fix Insecure Cryptographic Storage

Abhilash — Tue, 01 May 2012 04:59:24 +0000

Password hashing is the first step towards encrypting passwords before storing it in the database. It is advisable to make sure sensitive parameters like password, credit card information is encrypted by using hashing algorithm so that in the event of a database compromise such information is still secure. To make the hashing stronger it’s recommended to add a Salt to the password string. Salting makes password guessing harder and improbable if the salt is large enough. Fixing Insecure Cryptographic Storage [...]

How to Fix Cross-site Request Forgery Vulnerability

Abhilash — Tue, 01 May 2012 04:51:26 +0000

Cross-Site Request Forgery (CSRF) is an attack that allows a hacker to perform an action on the vulnerable site on behalf of the victim. The attack is possible when the vulnerable site does not properly validate the origin of the request. The attack is performed by forcing the victim’s browser to issue an HTTP request to the vulnerable site. If the user is currently logged-in to the victim site, the request will automatically use the user’s credentials (like session cookies, [...]

How to fix Insecure Direct Object Reference Vulnerability

Abhilash — Tue, 01 May 2012 04:30:43 +0000

Many times application references an object (files) to generate web pages. A simple example is when a user requests his mobile bill and the application fetches it from the server and displays on his screen. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. An attacker can easily manipulate parameter values and get access to other users details If you must expose direct references to database structures, ensure [...]

Fixing SQL Injection in Hibernate

Abhilash — Tue, 01 May 2012 04:05:17 +0000

Note: This post is part of our series on “How to Fix SQL Injection Vulnerabilities“. The series contains examples on how to fix SQL Injection Vulnerabilities in various programming languages. An SQL Injection attack is a code injection attack when input from an attacker reaches one of your databases without any filteration or validation. As a result, a malicious user can execute Read / Write / Delete / Update query in your database. In addition to this he can also [...]

Fixing Cross-site Scripting in Spring MVC

Abhilash — Tue, 01 May 2012 03:51:24 +0000

In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side. Add to the web.xml file to apply the filter globaly: At page level, it is defined as a tag-declaration. The code is: