1 / 21

Use to Implement: Input validation Page-Level authorization Session Management Audit Logging

Use to Implement: Input validation Page-Level authorization Session Management Audit Logging. Avoid: Relying Only on Blacklist Validation Output Encoding in Filter Overly Generous Whitelist Validation XML Denial of Service Logging Arbitrary HTTP Parameters. Intercepting Filter.

jerry-frederick
Download Presentation

Use to Implement: Input validation Page-Level authorization Session Management Audit Logging

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Use to Implement: • Input validation • Page-Level authorization • Session Management • Audit Logging • Avoid: • Relying Only on Blacklist Validation • Output Encoding in Filter • Overly Generous Whitelist Validation • XML Denial of Service • Logging Arbitrary HTTP Parameters Intercepting Filter

  2. Avoid: • Physical Resource Mapping • Unhandled Mappings in Multiplexed Resource Mapping strategy • Logging of Arbitrary HTTP Parameters • Duplicating Common Logic Across Multiple Front Controllers • Use to Implement: • Logical Resource Mapping • Session Management • Audit Logging • Avoid: • Invoking Commands Without Sufficient Authorization Front Controller

  3. Use to Implement: • Whitelist Input Validation • Flagging Tainted Variables • Avoid: • Context Auto-Population Strategy • Assuming Security Context Reflects All Security Concerns Context Object

  4. Avoid: • XSLT and Xpath Vulnerabilities • XML Denial of Service • Disclosure of Information in Soap Faults • Publishing WSDL files • Use to Implement: • Synchronization Tokens as Anti-CSRF Mechanism • Page-level Authorization • Avoid: • Unhandled Commands • Avoid: • Unauthorized Commands Application Controller

  5. Avoid: • XSLT and Xpath Vulnerabilities • Unencoded User Supplied Data • Use to Implement: • Output Encoding in Custom Tag Helper View Helper

  6. Use to Implement: • Output Encoding in Custom Tags • Avoid: • Skipping Authorization Check Within SubViews • Avoid: • XSLT and Xpath Vulnerabiliites Composite View

  7. Avoid: • Dispatching Error Pages Without a Default Error Handler Service to Worker

  8. Avoid: • Using User Supplied Forward Values • Assuming User’s Navigation History Dispatcher View

  9. Use to Implement: • Whitelist Input Validation Business Delegate

  10. Avoid: • Open Access to UDDIs • Avoid: • Memory Leaks in Caching Service Locator

  11. Use to Implement: • Middle-tier Authorization • Avoid: • Unauthenticated Client Calls • Deserializing Objects from Untrusted Sources Session Facade

  12. Avoid: • Unauthenticated Client Calls Application Service

  13. Business Object

  14. Avoid: • Plaintext Transmission of Confidential Data • Avoid: • Interpreter Injection Composite Entity

  15. Avoid: • Plaintext Transmission of Confidential Data Transfer Object

  16. Transfer Object Assembler

  17. Value List Handler

  18. Avoid: • Interpreter Injection • Improper Resource Closing • Unencrypted Connection String Storage Data Access Object

  19. Avoid: • Denial of Service in Message Queues • Unauthenticated Messages • Unauthorized Messages • Dynamic SQL in Database Response Strategy • Unvalidated Email Addresses in Email Response Strategy Service Activator

  20. Avoid: • Interpreter Injection • Improper Closing of Resources • Unencrypted Storage of Connection Strings Domain Store

  21. Avoid: • Sending stack trace and other detailed information in SOAP faults • Publishing WSDL files • Using DTDs • Unauthenticated or unauthorized web service requests • Using user-supplied data without input validation • Excessively large XML messages Web Services Broker

More Related