WebApp Sec mailing list archives
Re: Hardcoded Database IP in ASP
From: PCSC Information Services <info () pcsage biz>
Date: Tue, 19 Sep 2006 19:55:38 -0400
Hi Darryl,Have you considered having the DB server use a non-routable protocol that is available only on your internal network? Given that many databases can operate in many different protocol/network environments, you might consider it advantageous to limit all connections to it to internally authenticated machines only (i.e. the machines authenticate using a mechanism that is only available for internal connections) This might be a good way to secure your dbs and db servers. If this database is very sensitive (i.e. personally identifiable metrics) having a separate connection might prove most efficacious in your efforts to secure this data. I understand that .asp has more than one connection method so this shouldn't prove beyond your scope.
Sincerely, Sean Swayze PCSInformation Services info () pcsage biz On 14-Sep-06, at 2:28 PM, Darryl Stevens wrote:
Hello fellow Security Guru's.I've been on the distro from sometime and gaining a lot of insight into various security issues.Question: I have ASP script that points to a backend database residing on seperate physical server. Is there any known way of getting around using a hard-coded IP address to point to the database? Would utilizing the OS hosts file serve my purposes of and satisfy secure code practices? Thanks guys.Darryl---------------------------------------------------------------------- ---Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!https://www.watchfire.com/securearea/whitepapers.aspx? id=701500000008Vmm ---------------------------------------------------------------------- ----
------------------------------------------------------------------------- Sponsored by: WatchfireCross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- Hardcoded Database IP in ASP Darryl Stevens (Sep 14)
- RE: Hardcoded Database IP in ASP Ken Schaefer (Sep 19)
- Re: Hardcoded Database IP in ASP RSnake (Sep 19)
- Re: Hardcoded Database IP in ASP Darryl Stevens (Sep 19)
- Re: Hardcoded Database IP in ASP security (Sep 19)
- Re: Hardcoded Database IP in ASP PCSC Information Services (Sep 22)
- <Possible follow-ups>
- RE: Hardcoded Database IP in ASP Darryl Stevens (Sep 19)