summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorxue <>2006-01-28 05:56:18 +0000
committerxue <>2006-01-28 05:56:18 +0000
commit785fa814501d66e94d07a872d5ff69e26baf413d (patch)
treed8b1d94f18a75b32355d83a53dcfb79a065a258f
parent1bf13b75e5f5f3d1f953a94a9be244d734ed3f9d (diff)
Added ViewState protection and cross site scripting prevention tutorial pages.
-rw-r--r--.gitattributes2
-rw-r--r--demos/quickstart/protected/controls/TopicList.tpl4
-rw-r--r--demos/quickstart/protected/pages/Security/ViewState.page31
-rw-r--r--demos/quickstart/protected/pages/Security/XSS.page13
4 files changed, 48 insertions, 2 deletions
diff --git a/.gitattributes b/.gitattributes
index f6db162f..a8b9d54e 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -149,6 +149,8 @@ demos/quickstart/protected/pages/GettingStarted/AboutPrado.page -text
demos/quickstart/protected/pages/GettingStarted/Installation.page -text
demos/quickstart/protected/pages/GettingStarted/Introduction.page -text
demos/quickstart/protected/pages/Security/Auth.page -text
+demos/quickstart/protected/pages/Security/ViewState.page -text
+demos/quickstart/protected/pages/Security/XSS.page -text
demos/quickstart/protected/pages/ViewSource.page -text
demos/quickstart/protected/pages/ViewSource.php -text
demos/quickstart/protected/pages/config.xml -text
diff --git a/demos/quickstart/protected/controls/TopicList.tpl b/demos/quickstart/protected/controls/TopicList.tpl
index f2aa4180..79d3cd1d 100644
--- a/demos/quickstart/protected/controls/TopicList.tpl
+++ b/demos/quickstart/protected/controls/TopicList.tpl
@@ -64,8 +64,8 @@
<div>Security</div>
<ul>
<li><a href="?page=Security.Auth">Authentication and Authorization</a></li>
- <li><a href="?page=Construction">ViewState Protection</a></li>
- <li><a href="?page=Construction">Cross Site Scripting Prevention</a></li>
+ <li><a href="?page=Security.ViewState">ViewState Protection</a></li>
+ <li><a href="?page=Security.XSS">Cross Site Scripting Prevention</a></li>
</ul>
</div>
diff --git a/demos/quickstart/protected/pages/Security/ViewState.page b/demos/quickstart/protected/pages/Security/ViewState.page
new file mode 100644
index 00000000..42499aae
--- /dev/null
+++ b/demos/quickstart/protected/pages/Security/ViewState.page
@@ -0,0 +1,31 @@
+<com:TContent ID="body" >
+
+<h1>Viewstate Protection</h1>
+<p>
+Viewstate lies at the heart of PRADO. Viewstate represents data that can be used to restore pages to the state that is last seen by end users before making the current request. By default, PRADO uses hidden fields to store viewstate information.
+</p>
+<p>
+It is extremely important to ensure that viewstate is not tampered by end users. Without protection, malicious users may inject harmful code into viewstate and unwanted instructions may be performed when page state is being restored on server side.
+</p>
+<p>
+To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate modifies, PRADO simply stops restoring the viewstate and returns an error message.
+</p>
+<p>
+HMAC check requires a private key that should be secret to end users. Developers can either manually specify a key or let PRADO automatically generate a key. Manually specified key is useful when the application runs on a server farm. To do so, configure <tt>TPageStatePersister</tt> in application configuration,
+</p>
+<com:TTextHighlighter Language="xml" CssClass="source">
+&lt;service id="page" class="TPageService"&gt;
+ &lt;modules&gt;
+ &lt;module id="state"
+ class="TPageStatePersister"
+ PrivateKey="my private key" /&gt;
+ &lt;/modules&gt;
+&lt;/service&gt;
+</com:TTextHighlighter>
+<p>
+HMAC check does not prevent end users from reading the viewstate content. An added security measure is to encrypt the viewstate information so that end users cannot decipher it. Work on supporting viewstate encryption is ongoing.
+</p>
+<p>
+Another strategy to protect viewstate is to store it on server side rather than using hidden fields. The relevant work is also ongoing.
+</p>
+</com:TContent> \ No newline at end of file
diff --git a/demos/quickstart/protected/pages/Security/XSS.page b/demos/quickstart/protected/pages/Security/XSS.page
new file mode 100644
index 00000000..fedd2a38
--- /dev/null
+++ b/demos/quickstart/protected/pages/Security/XSS.page
@@ -0,0 +1,13 @@
+<com:TContent ID="body" >
+
+<h1>Cross Site Scripting Prevention</h1>
+<p>
+Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers.
+</p>
+<p>
+One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferrable because it disables all HTML tags.
+</p>
+<p>
+PRADO incorporates the work of <a href="http://pixel-apes.com/safehtml/">SafeHTML</a> and provides developers with a useful component called <tt>TSafeHtml</tt>. By enclosing content within a <tt>TSafeHtml</tt> component tag, the enclosed content are ensured to be safe to end users. In addition, the commonly used <tt>TTextBox</tt> has a <tt>SafeText</tt> property which contains user input that are ensured to be safe if displayed directly to end users.
+</p>
+</com:TContent> \ No newline at end of file