Protecting against SQL Injection

940
Chapter 21 
■
Malicious Code and Application Attacks
removing the single quote characters ( 
'
) from the input would prevent the successful use of 
this attack. The strongest, and safest, form of input validation is whitelist validation, where 
the developer specifi es the exact nature of the expected input (e.g., an integer less than 1024 
or an alphanumeric string less than 20 characters) and the code verifi es that user-supplied 
input matches the expected pattern before submitting it to the database. 
Limit Account Privileges
The database account used by the web server should have 
the smallest set of privileges possible. If the web application needs only to retrieve data, 
it should have that ability only. In the example, the
DELETE
command would fail if the 
account had
SELECT
privileges only.
Reconnaissance Attacks 
While malicious code often relies on tricking users into opening or accessing malware, other 
attacks directly target machines. Performing reconnaissance can allow an attacker to fi nd 
weak points to target directly with their attack code. To assist with this targeting, attacker-
tool developers have created a number of automated tools that perform network recon-
naissance. In the following sections, we’ll cover three of those automated techniques—IP 
probes, port scans, and vulnerability scans—and then explain how these techniques can be 
supplemented by the more physically intensive dumpster-diving technique. 

Download 19,3 Mb.

Do'stlaringiz bilan baham: