Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seguridad en aplicaciones ASP.NET

525 views

Published on

Seguridad en aplicaciones ASP.NET

Published in: Technology
  • Be the first to comment

Seguridad en aplicaciones ASP.NET

  1. 1.
  2. 2.
  3. 3.
  4. 4. Dim queryString As String = _<br /> "SELECT * FROM users WHERE username = ‘” & Me.user.text & ”’ AND password = ‘” & Me.pass.text & ”’;“<br />Using connection As New SqlConnection(connectionString)<br />connection.Open()<br /> Dim command As New SqlCommand(queryString, connection)<br /> Dim reader As New SqlDataReader = command.ExecuteReader()<br /> If reader.Read() then<br />result.text = “Bienvenido ” & reader(0)<br /> Else<br />result.text = “No se pudologuear!”<br /> End if<br />connection.Close()<br />End Using<br />
  5. 5. No hay validación del contenido de la información<br />Los usuarios pueden escribir cualquier cosa!<br />
  6. 6. ‘ OR 1 = 1 --<br />SELECT * FROM usuarios WHERE username = ‘’ OR 1 = 1 --’ AND password = ‘cualquiercosa’;“<br />‘; INSERT INTO usuarios VALUES(‘TuUsuario', ‘TuPassword') --<br />SELECT * FROM usuarios WHERE username = ‘‘; INSERT INTO usuarios VALUES(‘TuUsuario', ‘TuPassword') --’ AND password = ‘cualquiercosa’;“<br />‘; DROP TABLE usuarios --<br />SELECT * FROM usuarios WHERE username = ‘‘; DROP TABLE usuarios --<br />’ AND password = ‘cualquiercosa’;“<br />
  7. 7. Evitar la concatenación de variables con sentencias SQL<br />Hacer validaciones fuertes y exhaustivas<br />Desconfiar de lo que los usuarios escriben<br />Apoyarse con las herramientas que provee ASP<br />
  8. 8. Dimquery As String = “SELECT * FROM usuarios WHERE username = <br /> @user AND password = @pass;”<br />…<br />DimuserParameter As New SqlParameter(“@user”, SqlDbType.NVarChar, 25)<br />WithuserParameter<br /> .Value = Me.user.text<br />EndWith<br />Command.Parameters.Add(userParameter) <br />‘mismo procedimiento para @pass<br />… <br />
  9. 9. CREATE PROCEDURE dbo.GetLogin(<br /> @usernamevarchar(25),<br /> @passwordvarchar(25)<br />)<br />AS<br />SELECT * FROM usuarios WHERE<br />username = @username AND<br />password = @password<br />Dim procedimiento As String = “GetLogin”<br />…<br />Dim command As New SqlCommand(procedimiento, connection)<br />…<br />command.CommandType = CommandType.StoredProcedure<br />

×