Fight back against hackers
Peter's Input Security provides a formidable defense against SQL Injection,
Script Injection (Cross Site Scripting), Input Tampering, and Brute Force attacks
on your ASP.NET web sites.
Microsoft and many others have been discussing the ways you can prevent and neutralize
these attacks. At conferences and in articles, the solution seems simple enough:
use a validator to block the attack and neutralize with HtmlEncode and parameterized
database calls. As each programmer investigates these tools and reads more on the
subject, it becomes clear that much more needs to be done, costing time and requiring
experience to implement a full solution. PeterBlum.com has spent the time and research
for you, building a comprehensive toolkit into Peter's Input
- Protects visible fields, hidden fields, query string parameters, and cookies
- Block access to pages that have received multiple attacks to slow the hacker down
and reduce the resources used
- Log attacks in great detail. Also can log your site's exceptions and other errors.
It can notify you through email.
- Security Analysis Report provides a full audit of each page's inputs and their
security settings. It even recommends how to improve your security.
- Each field can have its own rules for allowing certain HTML tags or SQL-like statements.
- Provides tools to neutralize attacks that are not caught by validators.
- You can customize the rules for detecting attacks.
A Far Better Defense
Microsoft provides some validators, the ValidateRequest property, and parameterized
calls to your database. This has been promoted as a solid defense against hackers.
What makes Peter's Input Security so much better?
A formidable input security system covers these aspects of security:
Knowledge, Auditing, Detection, Logging, Blocking, Neutralization, and Impeding.
Peter's Input Security addresses all of these and goes far deeper in detection,
blocking and neutralization.
For example, while parametermized calls to your database can neutralize SQL Injection,
here is what Peter's Input Security adds:
- Validators only handle visible fields on your page. You have no defenses against
attacks through hidden fields, query strings and cookies.
- Monitor attacks with the detection and logging capabilities of the
FieldSecurityValidator and PageSecurityValidator. You can even be emailed as
an attack is happening, with a detailed description of the attack used.
- You can defend against repeated attacks with the Slow
Down Manager. It impedes access to your pages and frustrate the hacker
- There are no validators for free-form textboxes with the validators Microsoft supplies.
The FieldSecurityValidator can block these attacks. By blocking, you limit the amount
of garbage added to your database and reduce resources lost to attacks
- Its SQL Detection Engine is far more powerful than
any regular expression that you use within a RegularExpressionValidator. It has
algorithms to distinguish SQL statements from human language and to detect common
The Security Toolkit
Peter's Input Security provides a rich and flexible toolkit that gives you
a serious system to protect your web site. It has powerful validators to catch injection
attacks, a logging system to track attacks, and several ways to impede hackers.
Its tools protect visible fields, hidden fields, cookies and query strings.
Here are the tools supplied with Peter's Input Security:
- FieldSecurityValidator - A validator for visible controls where you can set attack
detection rules and error messages on a field-by-field basis
- PageSecurityValidator - A validator for all inputs on the page. Use it to set rules
on hidden fields, query string parameters, and cookies.
- Security Analysis Report - An audit of all the page's inputs and their security
- Log And Respond Engine - Log and email attacks, exceptions, and errors on your
- Methods to Help Neutralize Inputs
- TextLengthSecurityValidator - A validator that reports errors when text exceeds
a maximum. It looks at text after it is neutralized which causes it to grow.
- Slow Down Manager - Block access to a page after a number of attacks
- SQL and Script Detection Engines - Powerful and customizable algorithms that detect
SQL and Script Injection attacks.
The Realities Of Implementing Security
The hacker community has the skills, tools, and motivation to attack your site until
they find a hole. You may be looking at Peter's Input Security as the fast
way to secure your site against hackers. You certainly can drop its validators onto
your pages, change a few settings, and feel like you've blocked them. That does
not make your site secure. Validation, logging, impeding, neutralizing, and
a full audit of your page's inputs all contribute to a secure site.
Each of your page's inputs have their own data entry requirements. Some permit certain
HTML tags. Some need to allow SQL keywords because they appear in human language.
Some may need a friendly validation error message to assist users. Others need to
redirect the user to another page and block them from doing it again. Unfortunately,
there is no software that instantly knows the rules of all your inputs. (That would
be the "Holy Grail" of input security.)
It takes time to implement security correctly. Be prepared for that.
Peter's Input Security has been designed to give you the security that works
correctly for you. Its tools are feature rich, flexible, well researched, and tested.
You don't have to spend weeks of research and development anymore. Its documentation
provides step-by-step guidance for setting up your site. The result is that you
will have excellent security in far less time.
The Peter's Input Security Module
Peter's Input Security is a module of Peter's Data Entry Suite.
It is included when you purchase the Peter's Data Entry Suite, or it can be purchased
separately starting at $90 per server.
If you purchase this module alone, you will get the all of the features described
as The Security Toolkit above.
If you are purchasing modules, the Peter's Professional
Validation module is required. The Peter's More Validators
module is recommended but not required.
|Peter's Data Entry Suite gives you feature rich
and interactive data entry web forms with over 100 web controls.
Start with better controls. Finish with better sites.