And here is a tool which will help in designing a secure website.
Sunday, March 1, 2009
Create a secure and fast site
Here are a few links and tools, one should use while developing a site.
Wednesday, June 25, 2008
Speed up your websites Loading speed
Wanna Speed up your website Follow these small steps to improve websites performance .
- Compress the webpage - If the webpage is big in size then compress the webpage to make it load faster and reduce the bandwith required . G-zip,Deflate are supported by most of the browsers now .
- Using cache extensively -Cache your webpage make it vary by parameters i.e caching the page and varying it accordingly to changing parameteres .
- Make javascript and Css external -Put stylesheets to the top and scripts at the bottom .
- Minimize HTTP request -Most of the time is spend in downloading the components i.e images, stylesheet, script , flash etc ,so minimize such components .
- Use CDN Content delivery network -If your website is a global website then you can have a network of web servers around the world to improve the loading of website around the world .
Friday, June 20, 2008
Hacking Websites with Sql Injection attacks
Making a website ,using SQL server and never heard of SQL injection attacks .....
Then please read this post before you go ahead with launching your website.
A Small example
Suppose this is your sql statement for your Login control
select * from profiletable where username='Admin' and password ='P@ssword123'
Now when a user enters Admin'-- at the textbox
Then the sql statement becomes
select * from profiletable where username='Admin'--' and password ='P@ssword123'
In Sql -- is used as comment,Hence the SQL statement which is executed is ....
select * from profiletable where username ='Admin'
-- comments the sql query after 'Admin' and hence the user gets the access to the details of the user without the need of the password .
This was a very simple example of SQL injection attacks ,Lets see how a user finds out how the details of program .....
Obtaining Information about database using Error Messages
A User can get information about your database using Error messages .
The Attacker will purposefully enter such entries in the Textbox which might give an error .
For Example:
This Error message will give a lot of information about your program and database.....
Advanced SQL injection attacks include use of Extended,Custom Stored Procedures and many new innovative methods .....
Hence follow these set of guidelines when making a website :
*Use of Parametric SQL Queries and if possible use of stored procedures - (Parametric queries validate the input entered and stored procedures donot show the query details on errors )
*Use of Linq if you are building application on .Net 3.5 framework .Linq is safer and faster than SQL .
*Use of TRY,CATCH blocks with sql query and defining error pages .
*Making your application an N-layer application having clearly defined rules in buisness layer to know who all can access the Data Layer.
*Rejecting Bad input ,Accepting Good input : Validation
input = replace(input, " ' ", " ' ")
escape = input
end function
known_bad = array( "select", "insert", "update", "delete", "drop", "--", "'" )
validate_string = true
for i = lbound( known_bad ) to ubound( known_bad )
if ( instr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then
validate_string = false
exit function
end if
next
end function
good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
validatepassword = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( InStr( good_password_chars, c ) = 0 ) then
validatepassword = false
exit function
end if
next
end function
Then please read this post before you go ahead with launching your website.
A Small example
Suppose this is your sql statement for your Login control
select * from profiletable where username='Admin' and password ='P@ssword123'
Now when a user enters Admin'-- at the textbox
Then the sql statement becomes
select * from profiletable where username='Admin'--' and password ='P@ssword123'
In Sql -- is used as comment,Hence the SQL statement which is executed is ....
select * from profiletable where username ='Admin'
-- comments the sql query after 'Admin' and hence the user gets the access to the details of the user without the need of the password .
This was a very simple example of SQL injection attacks ,Lets see how a user finds out how the details of program .....
Obtaining Information about database using Error Messages
A User can get information about your database using Error messages .
The Attacker will purposefully enter such entries in the Textbox which might give an error .
For Example:
Line 26: com.Parameters.Add("@user",SqlDbType.DateTime).Value=TextBox1.Text;
Line 27: //com.Parameters.AddWithValue("user", TextBox1.Text);
Line 28: SqlDataReader dr = com.ExecuteReader();
Line 29: if (dr.Read())
This Error message will give a lot of information about your program and database.....
Advanced SQL injection attacks include use of Extended,Custom Stored Procedures and many new innovative methods .....
Hence follow these set of guidelines when making a website :
*Use of Parametric SQL Queries and if possible use of stored procedures - (Parametric queries validate the input entered and stored procedures donot show the query details on errors )
*Use of Linq if you are building application on .Net 3.5 framework .Linq is safer and faster than SQL .
*Use of TRY,CATCH blocks with sql query and defining error pages .
*Making your application an N-layer application having clearly defined rules in buisness layer to know who all can access the Data Layer.
*Rejecting Bad input ,Accepting Good input : Validation
- Escape single quotes
input = replace(input, " ' ", " ' ")
escape = input
end function
- Reject known bad input
known_bad = array( "select", "insert", "update", "delete", "drop", "--", "'" )
validate_string = true
for i = lbound( known_bad ) to ubound( known_bad )
if ( instr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then
validate_string = false
exit function
end if
next
end function
- Allow only good input
good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
validatepassword = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( InStr( good_password_chars, c ) = 0 ) then
validatepassword = false
exit function
end if
next
end function
*SQL Lockdown
- Determine methods of connection to the server-Verify that only the network libraries you're using are enabled, using the 'Network utility'
- Verify which accounts exist-Remove unneccessary accounts,Ensure that all accounts have strong password ,Run a password auditing script to against the server on regular basis .
- Verify which objects exist-Remove the extended stored procedures which are not needed .
There are Tools to determine this which you can find at www.Sqlsecurity.com.
So now rethink about your application and design it using these guidelines .....
Tuesday, June 10, 2008
Dynamically add Controls to webpage
It is important some times to dynamically generate controls for your application .
To do this use the following code given below:
Label l1=new Label();//creating an instance of the control
l1.Text="Code Snippet ";//Defining its properties like text ,width,height ,style etc
l1.Width="100px";
this.Controls.Add(l1);//Adding it to your page or form
This is a very simple code but is as useful .
To do this use the following code given below:
Label l1=new Label();//creating an instance of the control
l1.Text="Code Snippet ";//Defining its properties like text ,width,height ,style etc
l1.Width="100px";
this.Controls.Add(l1);//Adding it to your page or form
This is a very simple code but is as useful .
Monday, June 9, 2008
A Simple Web Service
Today ,we will learn how to create a web service . A web service is supposedly much safer and faster and hence very important to any website project .
*To create a web service go to add a new item .
*Add a Web service (.asmx) file to your solution .
*In this File there is a default web method called "Hello World" which returns hello world .
*You can write your methods out here and declare them as a web methods .
*If you dont want to write all the coding on the .asmx page you can write the code in a class file and call those methods in a webmethod
*Now to test the service debug this application and in the window u will see the name of the methods that you have defined .
*Click on the method you want to test ,this will open a window which will have the consist of the specific webmethod and an "Invoke" button .
*Press the Invoke button and You will be able to see the results in an XML file .
*Now to add this service to Your web site application , follow these steps :
1.Add a web reference to your project this will give the below options
3. Change the namespace for your service as per your requirements ,by default it is given a name localhost.
4.Now in your webpage (eg:Default.aspx) write the following code
localhost.WebService ws = new localhost.WebService();
Label1.Text= ws.HelloWorld();//I have included a Label also to show the results
That is all you have to do to include a webservice to your website .
*To create a web service go to add a new item .
*Add a Web service (.asmx) file to your solution .
*In this File there is a default web method called "Hello World" which returns hello world .
*You can write your methods out here and declare them as a web methods .
*If you dont want to write all the coding on the .asmx page you can write the code in a class file and call those methods in a webmethod
*Now to test the service debug this application and in the window u will see the name of the methods that you have defined .
*Click on the method you want to test ,this will open a window which will have the consist of the specific webmethod and an "Invoke" button .
*Press the Invoke button and You will be able to see the results in an XML file .
*Now to add this service to Your web site application , follow these steps :
1.Add a web reference to your project this will give the below options
- Web services in the solution
- Web services on the local machine
- Browse UDDI Servers on the local network
3. Change the namespace for your service as per your requirements ,by default it is given a name localhost.
4.Now in your webpage (eg:Default.aspx) write the following code
localhost.WebService ws = new localhost.WebService();
Label1.Text= ws.HelloWorld();//I have included a Label also to show the results
That is all you have to do to include a webservice to your website .
Saturday, June 7, 2008
Dynamically adding Meta-Tags
According to SEO's Meta -tags are dead .
Its official now that Search engines now give their own tags to every page instead of reading meta tags on every page .
But still if you want to add meta tags dynamically to your page then here is the code .
At the page_load event write the following code
protected void Page_Load(object sender, EventArgs e)
{
HtmlMeta keywords = new HtmlMeta();
keywords.Name = "keyword";
keywords.Content =" metatag";
Header.Controls.Add(keywords);
}
Well the above code is quiet easy and can be easily understood .
Its official now that Search engines now give their own tags to every page instead of reading meta tags on every page .
But still if you want to add meta tags dynamically to your page then here is the code .
At the page_load event write the following code
protected void Page_Load(object sender, EventArgs e)
{
HtmlMeta keywords = new HtmlMeta();
keywords.Name = "keyword";
keywords.Content =" metatag";
Header.Controls.Add(keywords);
}
Well the above code is quiet easy and can be easily understood .
Thursday, June 5, 2008
URL Rewriting
It has become important for websites to provide User friendly URL's to their users and this can be done effectively using Visual web developer.
Today I will tell you about one of the ways of doing it .
We will start a new website and add an App_Code folder to your solution .
App_Code folder is a special folder which contains the code which is executed at the start of our application .
Add a class file to the App_Code folder,I have named it Urlrewitw.cs
Write the following code in this file :
public class urlrewrite:IHttpModule//This class implements IHttpModule which generates two functions called Dispose and Init
{
#region IHttpModule Members
public void Dispose()//the code in this function executes whenever the application disposes
{
// We dont need to write any code in this function
}
public void Init(HttpApplication context)//this code is executed at the start of application
{
context.BeginRequest += new EventHandler(context_BeginRequest);
//We add an event handler which calls the begin_request function at the start of application
}
void context_BeginRequest(object sender, EventArgs e)//Write the url rewriting code here
{
HttpApplication app;
app = (HttpApplication)sender;
if (app.Request.RawUrl.Contains("Default4.aspx"))
{
app.Context.RewritePath("Default3.aspx", "", "itemid=2" + "&name=anand");
//if Default4.aspx is requested then call the page Default3.aspx with two QueryString Parameters itemid and name: Default3.aspx?itemid=2&name=anand
}
}
#endregion
}
Last Thing to be done is to Tweak the Web.config file
In System.Web add this code-snippet
(httpModules)
(add name="urlrewrite" type="urlrewrite"/)
(/httpModules)
Use < > brackets instead of ( )
Isnt it easy ,so go and try this code in your application.....
Today I will tell you about one of the ways of doing it .
We will start a new website and add an App_Code folder to your solution .
App_Code folder is a special folder which contains the code which is executed at the start of our application .
Add a class file to the App_Code folder,I have named it Urlrewitw.cs
Write the following code in this file :
public class urlrewrite:IHttpModule//This class implements IHttpModule which generates two functions called Dispose and Init
{
#region IHttpModule Members
public void Dispose()//the code in this function executes whenever the application disposes
{
// We dont need to write any code in this function
}
public void Init(HttpApplication context)//this code is executed at the start of application
{
context.BeginRequest += new EventHandler(context_BeginRequest);
//We add an event handler which calls the begin_request function at the start of application
}
void context_BeginRequest(object sender, EventArgs e)//Write the url rewriting code here
{
HttpApplication app;
app = (HttpApplication)sender;
if (app.Request.RawUrl.Contains("Default4.aspx"))
{
app.Context.RewritePath("Default3.aspx", "", "itemid=2" + "&name=anand");
//if Default4.aspx is requested then call the page Default3.aspx with two QueryString Parameters itemid and name: Default3.aspx?itemid=2&name=anand
}
}
#endregion
}
Last Thing to be done is to Tweak the Web.config file
In System.Web add this code-snippet
(httpModules)
(add name="urlrewrite" type="urlrewrite"/)
(/httpModules)
Use < > brackets instead of ( )
Isnt it easy ,so go and try this code in your application.....
Subscribe to:
Posts (Atom)