The Tools of Peter's Input Security
Here are the tools supplied with Peter's Input Security:
This validator web control detects SQL and script injection attacks on individual
data entry controls (visible fields). It uses the powerful SQL Detection and Script
Detection Engines to analyze the text for possible attacks. If found, it can log
and block them.
Each data entry control can have different levels of protection. For SQL, you can
detect individual SQL keywords, SQL statements and common hacking patterns with
five levels, Low to High. This way most free form text fields can still be protected
without blocking human language. For Scripts, you can supply a list of HTML tag
names that are either permitted or blocked.
You can customize how this validator logs and reports errors to the user. For example,
silently log attacks without reporting errors back to the user. This gives the attacker
a false sense of security while you are fully informed. You can even record details
about the record written into a log so that you can review the data by hand.
This validator web control detects SQL Injection, Script Injection, Input Tampering,
and Brute Force attacks on all inputs: visible fields, hidden fields, query strings,
and cookies. It has extensive properties to customize how it detects these attacks.
If found, it logs and blocks the attack.
You always add one of these to each page with inputs. It immediately adds protection
for visible and hidden fields without any further customization.
The PageSecurityValidator and FieldSecurityValidator do not generate client-side
validation code, preventing hackers from reading your security logic.
Security Analysis Report
The Security Analysis Report may be the most important tool in Peter's Input Security.
There is nothing like it anywhere else. It analyzes all inputs on a page and the
security techniques applied. Use this report to fully audit and document your input
For each input, it describes the following:
- The validators assigned to protect the input
- Provides a rating of its security against SQL Injection and Script Injection: None,
Poor, Good and Excellent
- Documents exactly how it determined the ratings
- Makes specific recommendations to improve and tune your security
- Through methods exposed to your programmers, it includes your programmer's own
comments on how they have protected the input.
The report is easy to use. Just add the PageSecurityValidator and open your page
in the browser. Then view the HTML file that it outputs.
Log And Respond Engine
The Log And Respond Engine collects detailed data about attacks, exceptions, and
errors into text files, the Windows event log, or your own custom logging system.
It can send emails about these problems too. Based on rules that you set, it can
optionally redirect to another page or throw an exception when and attack occurs.
This helps hide the real details of the error from the attacker.
Methods to Help Neutralize Inputs
The PageSecurityValidator provides a library of methods to help you clean up inputs
as part of the neutralization process. When cleaning up HTML, its methods can even
preserve a list of tags in their original form while removing or encoding the rest.
These methods write to the Security Analysis Report so that you know what actions
have been taken to neutralize an input.
One of the more subtle problems with cleaning up inputs is that usually the size
of the text grows after clean up. Single quotes are converted to a pair of single
quotes; HTML tags are HTMLEncoded. This invariably means that while the original
text was the right size, the cleaned up text is too big.
The TextLengtheSecurityValidator checks the maximum text length in two ways: the
original size and the cleaned up size. Use this validator web control to report
text length errors.
Slow Down Manager
The Slow Down Manager monitors attackers who hit a page several times. It is your
defense against Brute Force attacks. After a few attacks, it blocks access to that
page and optionally to other pages. To block, it redirects to another page for a
time limit. Each time they request the original page, it redirects until the time
limit has expired.
You configure what pages it shows, how many attacks before they are shown, and the
time limit. Once these rules are setup, all pages with a PageSecurityValidator are
ready to block. You can develop rules to escalate from a friendly message with a
short delay to an aggressive messages with a long delay.
You can also use the Slow Down Manager to track multiple login attempts and start
blocking when they exceed your desired number of attempts.
SQL Detection and Script Detection Engines
The SQL Detection Engine analyzes inputs for SQL Injection attacks. It has several
algorithms that can distinguish a SQL statement from human language and common hacking
The Script Detection Engine analyzes inputs for Script Injection attacks. It blocks
far more than just the <script> tag. You define a list of tags that are blocked.
It also looks for attacks in HTML tag attributes on tags that you want to keep.
Finally, it looks for dangerous scripts throughout the text.
The core algorithms to detect SQL and Script Injection attacks are very flexible
systems with many user configuration settings. Most of the settings can be applied
in XML files. You can define text that you consider illegal or suspect. You can
even add your own regular expressions to these systems to catch cases that concern
These algoritms are available as methods so that you can use them from your own
validation code. For example, you should use them to protect against attacks through
your web services.
Peter's Data Entry Suite
Peter's Data Entry Suite is the underlying technology
to Peter's Input Security. It provides numerous benefits to validation as
it was designed to overcome the many limitations of Microsoft's validators and greatly
expand the features of validation. It includes a utility to quickly convert a page
from Microsoft's validators to Peter's Data Entry Suite's.
Peter's Data Entry Suite plays an important role in input security by providing
its own set of validators to block illegal inputs. These include the DataTypeCheckValidator,
RegexValidator, CharacterValidator, and CompareToStringsValidator.
|Peter's Data Entry Suite gives you feature rich
and interactive data entry web forms with over 100 web controls.
Start with better controls. Finish with better sites.