Web applications are often attacked by hackers, who use
SQL Injection and
Cross Site Scripting attacks to
hurt you and your site visitors. SQL Injection uses SQL syntax to attack your database while Cross Site Scripting
adds javascript and HTML where it does not belong, to trip up your site's visitors.
If you've studied these issues, you know that its important to clean up incoming data to neutralize these attacks.
This action is handled by BLD. But you can do better by detecting attacks with the InjectionSecurityAttribute
because you need flexibility enough to allow certain inputs that blind attack prevention would otherwise stop.
For example, you may want to allow some HTML tags in a string-type DataField. You also may want to allow
the user to enter some of the SQL keywords along with a single quote. Both are blocked by the traditional protection mechanisms.
Detection has these benefits:
- Notify you when an attack is happening.
- Log the details of attacks for further study.
- Shut the hacker out of your site.
- Block garbage data from going into your database.
The InjectionSecurityAttribute requires that you have setup the Peter's Input Security module,
which is part of the Peter's Data Entry Suite.
Add it to the Entity class or individual string-type properties. Those string-type properties
without their own InjectionSecurityAttribute will inherit the one of the Entity class definition.
Typically the Entity class's attribute is the most strict. The individual properties will
reduce security to allow more cases. For example, you may want a string to allow a specific list
of HTML tags, and use InjectionSecurityAttribute to block the rest and any javascript
found inside the HTML tags you allow (a common hack).
Here are InjectionSecurityAttributes associated with the Category Entity class.
[DESDA.InjectionSecurity(DetectScriptInjection=true, DetectSQLInjection=false)]
public class CategoryMetadata
{
[DESDA.InjectionSecurity(DetectScriptInjection=true, DetectSQLInjection=true,
SQLDetectionLevel=PeterBlum.DES.Web.SQLDetectionLevel.MediumLow,
HTMLTagMode=PeterBlum.DES.Web.HTMLTagMode.IllegalExceptTags,
HTMLTags="br|img|span|div|a")]
public object Description { get; set; }
}
The Source Code Browser shows completed DataAnnotations. The InjectionSecurityAttributes
have been highlighted.
Open the Source Code Browser (C# only)