ApplicationProgramThreats and Countermeasures
A good way to analyze application-level threats is to organize them based on application defect categories.
1: input verification
Buffer overflow, cross-site scripting, SQL injection, Standardization
Countermeasures against buffer overflow:
(1) perform full input verification. This is the primary countermeasure to prevent Buffer Overflow. Although an error may exist in your application that allows the expected input to exceed the container's boundary, unexpected input is still the main cause of the defect. The input is constrained by verifying the type, length, format, and range of the input.
(2) If possible, restrict the use of unmanaged applicationsCodeAnd thoroughly check the unmanaged API to ensure that the input is correctly verified.
(3) Check the hosting code that calls the unmanaged API and ensure that only appropriate values can be passed as parameters to the unmanaged API.
Countermeasures against Cross-Site Scripting
(1) perform full input verification. Your application must ensure that the input from the query string, form field, and cookie is valid for the application. Identifies all user input as malicious and filters or clears the context of downstream code. Verify that all input values are known valid values, and then reject all other input values. Use regular expressions to verify the input data received through HTML form fields, cookies, and query strings
(2) perform full input verification. Your application must ensure that the input from the query string, form field, and cookie is valid for the application. Identifies all user input as malicious and filters or clears the context of downstream code. Verify that all input values are known valid values, and then reject all other input values. Use regular expressions to verify the input data received through HTML form fields, cookies, and query strings
(3) ExploitationHtmlencodeAndUrlencodeThe function encodes any output, including user input. This converts executable scripts into harmless html
Measures to prevent SQL Injection include:
(1) perform full input verification. The application must verify the input before sending the request to the database.
(2) access the database using parameterized stored procedures, so that the input string is not considered as an executable statement. If you cannot use stored procedures, use SQL parameters when creating SQL commands.
(3) connect to the database using the lowest privileged account
countermeasures for standardization problems include:
(1) avoid using the file name as the input, but use the absolute file path that the end user cannot change
(2) make sure that the file name is in the correct format (if you must accept the file name as the input) and verify it within the application context. For example, check whether they are in the directory hierarchy of your application
(3) ensure that the character encoding is correct to restrict the input representation. Check the web. whether the requestencoding and responseencoding attributes have been set in the globalization element