Deploying a poorly designed web application can be like propping open the Front Door into your network infrastructure. The vulnerabilities introduced by these design flaws can be exploited with different techniques of SQL injection, URL manipulation, error/debug code analysis, and other insidious methods.
Since detection of these attack modes can be difficult (or sometimes impossible when made over secure channels), it not only important to learn how these attacks are structured; one must learn how to build an application whose very structure mitigates the impact these techniques can have.
In contrast to many Blackhat sessions flavored toward the "exploit" side of things, this session will concentrate on the techniques and methods used to protect your network from these types of vulnerabilities, and "best practices" to follow when developing your data-driven applications.
With content specific to Microsoft IIS5 and SQL2000 utilizing ASP and ADODB, this course will provide an overview of a typical application's lifespan from the design and planning stage, through to its production and deployment.
The course will be broken into two main areas of study: Development and Implementation.
Development:
During the development phase, we will cover the following:
- Web Form Design
- User Input Validation and Sterilization
- SQL query string construction
- Data object instantiation
- Parameter typing and passing
- SQL database design
- Stored procedure design and execution
Implementation:
Implementation will cover the following specific technologies:
- Microsoft IIS5 server configuration and hardening
- Microsoft SQL2000 server configuration and hardening
- SQL mixed mode authentication and pitfalls
- SQL Integrated mode, user/group structure, and procedure permissions
- Real-world deployments, vulnerabilities, and consideration