In this article, I going to continue talking about service security.
The best practice when you pass query string to check the following points in the landing page:
1. Make sure you encrypt the value passed. especially when you pass string values.
2. If you pass an ID, for example, check if the current logged in user has permission to see the passed ID or not. Because this ID maybe incremental ID and the user maybe play in the value which, for sure, affect the values to be display in the page.
for example, when user register, the system will redirect him to details page and pass QueryString ID, http://mySite/Details.aspx?UserID=1, and the details page will load the information related to passed ID. You should prevent user to display information about another user, http://mySite/Details,aspx?UserID=2.
The above page shows that the service is used Xceed.Chart.GrphicsGL.V4.3.dll which is component should be embedded inside the service and the end user should not know about it,
To fix this issue, you should create custom error page and redirect user to this page if any issue happened.
for example, the log file in logs folder which deployed in the root, should not be appeared for end users and if the user type: http://mySite/logs/log.txt the log should not be appeared.
To prevent user to browse the file, you should put web.config file inside the folder, logs for example, and describe which roles are allowed to browse this file.
To be contiue...
QueryString
Most of services are using QueryString to pass variables throw pages. Those variables maybe encrypted, which gives more security about values, and it maybe passed without encryption.The best practice when you pass query string to check the following points in the landing page:
1. Make sure you encrypt the value passed. especially when you pass string values.
2. If you pass an ID, for example, check if the current logged in user has permission to see the passed ID or not. Because this ID maybe incremental ID and the user maybe play in the value which, for sure, affect the values to be display in the page.
for example, when user register, the system will redirect him to details page and pass QueryString ID, http://mySite/Details.aspx?UserID=1, and the details page will load the information related to passed ID. You should prevent user to display information about another user, http://mySite/Details,aspx?UserID=2.
Disable Sensitive Information for Error Messages
Some services has missing configuration, which leads to display sensitive information in error message page like the following:The above page shows that the service is used Xceed.Chart.GrphicsGL.V4.3.dll which is component should be embedded inside the service and the end user should not know about it,
To fix this issue, you should create custom error page and redirect user to this page if any issue happened.
Directory Browsing
When you create a service and deploy it on server, the service may contains different folder, files, images, styles, scripts ... etc. Some of those files should NOT be brows-able from end user side.for example, the log file in logs folder which deployed in the root, should not be appeared for end users and if the user type: http://mySite/logs/log.txt the log should not be appeared.
To prevent user to browse the file, you should put web.config file inside the folder, logs for example, and describe which roles are allowed to browse this file.
To be contiue...
No comments:
Post a Comment