good chemistry is complicated, and a little bit messy -LW |
|
PerlMonks |
Re: Validation Validation Validationby kabeldag (Hermit) |
on Feb 06, 2007 at 05:03 UTC ( [id://598484]=note: print w/replies, xml ) | Need Help?? |
Just a general approach to such a situation. Not a comprehensive solution ...
1.0 Validate IP address and other Transport and Network Layer properties as required. 1.1 Log Transport and Network Layer connections and scrutinise. HTTP server usage. 2.1 Validate Application Layer HTTP header parameters. 3.0 Validate Application layer document specific access. Session id token combined with IP address and or other parameters via some sort of encoding technique. A user/password auth combination with perhaps 'CAPTCHA' techniques to validate the user login. 3.1 Validate session form input. Use hidden form values, data length checks, valid characters and or words. Validate input times so that input doesn't come too quick or too late. 3.2 Log important events such as logins and form input with appropriate client/session data. 3.3 Scrutinise event logs ... form input/submissions, authentication etc. passes all of the validation checks, you can always check the the logs for patterns. Random or not, you will notice patterns and can take appropriate action. Beware of blocking/black-listing certain IP's though, you may end up blocking a completely okay network because somebody spoofed an IP or block. It is easy to spoof Network and Transport Layer packet properties, as well as Applicaiton layer properties such as the document referrer etc, but if you have no validation, you have no security. By no means have I listed every possible validation method nor may I be 100% on target. I have just listed a general layered overview. There are suggestions already mentioned in this thread/node, but don't stop there. Think about the type of situation you have and apply a security measure to match. Common sense. Update (:-s) : Fixed some HTML formatting
In Section
Seekers of Perl Wisdom
|
|