Posts

Showing posts from July, 2013

Cross site scripting

  Exploit Methods: Reflected Persistent DOM Based + JSON + JQuery Data URI – MS WORD Hijack links(Script to to turn the links to open WORD document which ll be download to user machine and use user's machine.) Dangling Markup –Script less attack The attacker injects some URL to the database wit out closing tag. When the page is bound the HTML DOM all are sent to the URL that attacker has out on. In MVC, the attacker can now take the "Request Verification Token" too. Solutions: Use HTML Encode for Cross site scripting Avail user inputs to use tags and use regex to a-z only Json.Encode() or Encoder.JavaScriptEncoder() all data supplied to Java script Still vulnerable if the text is read from element and used incorrectly Audit everywhere where ever the DOM created/altered by user input Do not Encode the data to save in database, but Sanitized . Since the data is leading double encoding. Use Sanitizer. AntiXss Sanitizer's GetSafeHtml()/GetSafeH...
Post a Comment
Read more

Web Performance Tests

Web Application Performance and Scalability Testing: What should we measure for performance: Time to First Byte (TTFB) Total Page Response Time(aka Time to Last Byte TTLB) What should we measure for Load: User Load Requests/Sec Errors/Sec What should we measure for Resource Utilization: CPU Memory Disk/Network Kinds of Test: Performance test – Speed of the application Load test – application's performance varies as load increases Stress test – Application behavior on normal and peak load conditions Smoke test – initial performance test under normal load Capacity test – load test variant used to determine server's failures, providing information on total capacity of current system Endurance test - kind of load test to determine the production application performance over an extended time period on loads Web Performance tests: Validation Rules Context Parameters Parameterization Data Source for Tests(SQL, CS...
Post a Comment
Read more