[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

RE : SQL Injection and XSS scripting

Posted on 2012-09-12
2
Medium Priority
?
377 Views
Last Modified: 2012-10-09
Hi,

How to make sure that application is totally secure with SQL injection and cross side scripting.

How to make sure that we have prevented URL tampering within the application? What i the best approach to do so

Is there any tool to test?

We have created an application in the .NET following MVC framework
0
Comment
Question by:vikalgupta
2 Comments
 
LVL 2

Accepted Solution

by:
varunvns earned 1500 total points
ID: 38393202
Hi,
Some points which need to be taken care of for avoiding SQL Injection specifically include:

1. Always use Stored Procedures when working with Database. (Never and never at all use a query directly from your code, as it is surely prone to sql injection)
2. Encrypt Sensitive data (values like passwords, account numbers etc, or some info which is very critical, better keep it encrypted and always encrypt-decrypt it as per your requirement)
3. Make use of Parameterized Queries, which force the developer to input some values else the query wont execute.

Some links which I found useful, on how to test for SQL Injection are as follows:
http://databases.about.com/od/security/a/sql_inject_test.htm
http://www.softwaretestinghelp.com/sql-injection-%E2%80%93-how-to-test-application-for-sql-injection-attacks/
http://www.unixwiz.net/techtips/sql-injection.html
http://security.stackexchange.com/questions/14142/how-do-i-test-for-sql-injection-vulnerabilities-on-a-site-with-input-fields

I know you asked for tool, and the above links mainly cover some methods to do it manually.
Here is a link for a tool which might help you out:
http://labs.securitycompass.com/exploit-me/sql-inject-me/
Also, a Firefox add-on for the same.. https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/

But yes, please perform all the SQL Injection specific things only in your test environment, after a proper backup of your database.

Sincerely,
Varun Shringarpure
0
 

Author Closing Comment

by:vikalgupta
ID: 38476449
Good answer
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Naughty Me. While I was changing the database name from DB1 to DB_PROD1 (yep it's not real database name ^v^), I changed the database name and notified my application fellows that I did it. They turn on the application, and everything is working. A …
SQL Server engine let you use a Windows account or a SQL Server account to connect to a SQL Server instance. This can be configured immediatly during the SQL Server installation or after in the Server Authentication section in the Server properties …
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question