Home     Download a Licensed Product     Message Board     Contact Peter     About PeterBlum.com     Policies     Newsletter
Peter's Input Security
The Tools of Peter's Input Security
Back

Here are the tools supplied with Peter's Input Security:

FieldSecurityValidator

This validator web control detects SQL and script injection attacks on individual data entry controls (visible fields). It uses the powerful SQL Detection and Script Detection Engines to analyze the text for possible attacks. If found, it can log and block them.

Each data entry control can have different levels of protection. For SQL, you can detect individual SQL keywords, SQL statements and common hacking patterns with five levels, Low to High. This way most free form text fields can still be protected without blocking human language. For Scripts, you can supply a list of HTML tag names that are either permitted or blocked.

You can customize how this validator logs and reports errors to the user. For example, silently log attacks without reporting errors back to the user. This gives the attacker a false sense of security while you are fully informed. You can even record details about the record written into a log so that you can review the data by hand.

PageSecurityValidator

This validator web control detects SQL Injection, Script Injection, Input Tampering, and Brute Force attacks on all inputs: visible fields, hidden fields, query strings, and cookies. It has extensive properties to customize how it detects these attacks. If found, it logs and blocks the attack.

You always add one of these to each page with inputs. It immediately adds protection for visible and hidden fields without any further customization.

The PageSecurityValidator and FieldSecurityValidator do not generate client-side validation code, preventing hackers from reading your security logic.

Security Analysis Report

The Security Analysis Report may be the most important tool in Peter's Input Security. There is nothing like it anywhere else. It analyzes all inputs on a page and the security techniques applied. Use this report to fully audit and document your input security.

For each input, it describes the following:

  • The validators assigned to protect the input
  • Provides a rating of its security against SQL Injection and Script Injection: None, Poor, Good and Excellent
  • Documents exactly how it determined the ratings
  • Makes specific recommendations to improve and tune your security
  • Through methods exposed to your programmers, it includes your programmer's own comments on how they have protected the input.

The report is easy to use. Just add the PageSecurityValidator and open your page in the browser. Then view the HTML file that it outputs.

Log And Respond Engine

The Log And Respond Engine collects detailed data about attacks, exceptions, and errors into text files, the Windows event log, or your own custom logging system. It can send emails about these problems too. Based on rules that you set, it can optionally redirect to another page or throw an exception when and attack occurs. This helps hide the real details of the error from the attacker.

Methods to Help Neutralize Inputs

The PageSecurityValidator provides a library of methods to help you clean up inputs as part of the neutralization process. When cleaning up HTML, its methods can even preserve a list of tags in their original form while removing or encoding the rest.

These methods write to the Security Analysis Report so that you know what actions have been taken to neutralize an input.

TextLengthSecurityValidator

One of the more subtle problems with cleaning up inputs is that usually the size of the text grows after clean up. Single quotes are converted to a pair of single quotes; HTML tags are HTMLEncoded. This invariably means that while the original text was the right size, the cleaned up text is too big.

The TextLengtheSecurityValidator checks the maximum text length in two ways: the original size and the cleaned up size. Use this validator web control to report text length errors.

Slow Down Manager

The Slow Down Manager monitors attackers who hit a page several times. It is your defense against Brute Force attacks. After a few attacks, it blocks access to that page and optionally to other pages. To block, it redirects to another page for a time limit. Each time they request the original page, it redirects until the time limit has expired.

You configure what pages it shows, how many attacks before they are shown, and the time limit. Once these rules are setup, all pages with a PageSecurityValidator are ready to block. You can develop rules to escalate from a friendly message with a short delay to an aggressive messages with a long delay.

You can also use the Slow Down Manager to track multiple login attempts and start blocking when they exceed your desired number of attempts.

SQL Detection and Script Detection Engines

The SQL Detection Engine analyzes inputs for SQL Injection attacks. It has several algorithms that can distinguish a SQL statement from human language and common hacking patterns.

The Script Detection Engine analyzes inputs for Script Injection attacks. It blocks far more than just the <script> tag. You define a list of tags that are blocked. It also looks for attacks in HTML tag attributes on tags that you want to keep. Finally, it looks for dangerous scripts throughout the text.

The core algorithms to detect SQL and Script Injection attacks are very flexible systems with many user configuration settings. Most of the settings can be applied in XML files. You can define text that you consider illegal or suspect. You can even add your own regular expressions to these systems to catch cases that concern you.

These algoritms are available as methods so that you can use them from your own validation code. For example, you should use them to protect against attacks through your web services.

Peter's Data Entry Suite

Peter's Data Entry Suite is the underlying technology to Peter's Input Security. It provides numerous benefits to validation as it was designed to overcome the many limitations of Microsoft's validators and greatly expand the features of validation. It includes a utility to quickly convert a page from Microsoft's validators to Peter's Data Entry Suite's.

Peter's Data Entry Suite plays an important role in input security by providing its own set of validators to block illegal inputs. These include the DataTypeCheckValidator, RegexValidator, CharacterValidator, and CompareToStringsValidator.



Peter's Data Entry Suite gives you feature rich and interactive data entry web forms with over 70 web controls.
Start with better controls. Finish with better sites.		 Download the Trial Version   Buy licenses



Back

www.PeterBlum.com is written by Peter L. Blum.
Copyright © 2002-2008, Peter L. Blum. All Rights Reserved
This site is best viewed with browsers that support style sheets.
Privacy policy