Re: Security for web site accessing i via IWS

[Pete Helgren <pete@xxxxxxxxxx>]

The amount of work will depend upon how many inputs and outputs you 
have.  SQL injection is best mitigated by using parameterized queries. 
But static SQL can be made safer using length checking, character 
white/black lists, proper data typing, using host variables and also a 
jaundiced eye when it comes to looking at a statement and seeing how 
variables passed to it could be manipulated for nefarious purposes.  
Tough to do when you are a solo act and can't have someone take a look 
and figure out a way to exploit it.

The same applies to XSS and CRSF.  Check the inputs and outputs for 
invalid characters, make sure you have sane length checking and data 
typing.  The web app may have static dropdown lists for selecting values 
but that wouldn't prevent someone from changing those values by 
manipulating the JavaScript so if there is a range of static values that 
are coming from a dropdown list (for example) , whitelist and check for 
those values at your end as well.

Late response (started before lunch).  Good responses prior to this.....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java

On 2/3/2015 10:23 AM, Koester, Michael wrote:
> Thanks Pete.
> Do you know of any RPG/SQL tricks to trap SQL injection?  My embedded SQL uses static SQL statements only (currently), and I'm validating the inputs by testing fields that should be numeric for numerals only, email addresses for permitted characters only (no blanks or back-slashes, etc.) and proper acct@domain structures...
> But I do not know anything about CSRF and XSS.
> Not being Java/PHP-proficient, I humbly admit to limitations.
> Any suggestions would be greatly appreciated.
> -- Michael