Enterprise Library Test Guide - Willy .Net
07.11.2014 Views
Share Embed Flag

Enterprise Library Test Guide - Willy .Net

Enterprise Library Test Guide - Willy .Net

Enterprise Library Test Guide - Willy .Net

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
willydev.net

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Test</strong>ing for Security Best Practices 135<br />

Threat 4<br />

Threat<br />

description<br />

Countermeasures<br />

STRIDE<br />

classification<br />

Risk<br />

Mitigation<br />

Investigative<br />

notes<br />

Attackers can flood the database log with false messages.<br />

The Logging Application Block exposes interfaces that allow an application<br />

to use the Data Access Application Block to log messages to a database.<br />

An attacker can use these interfaces to flood the database with false messages.<br />

This can eventually cause a denial of service. In addition, log messages<br />

in the database may contain sensitive information.<br />

The Data Access Application Block requires explicit Code Access Security<br />

permissions to access SQL Server or an Oracle database. No such permissions<br />

are necessary to access a generic database. The GenericDatabase<br />

class’s access methods have overloads that can request custom permissions<br />

that derive from the .NET Framework DBDataPermission class. These<br />

permissions ensure that the application has the proper level of security to<br />

access the database.<br />

Tampering, Denial of Services, Elevation of Privileges<br />

High<br />

Yes<br />

None<br />

Table 14 lists the DREAD rating for threat 4.<br />

Table 14: Threat 4 DREAD Rating<br />

D R E A D Total Rating<br />

3 3 2 3 3 14 High<br />

Table 15 lists details about threat 5.<br />

Table 15: Logging Application Block Threat 5<br />

Threat 5<br />

Name<br />

Entry points<br />

Threat<br />

description<br />

Countermeasures<br />

Attackers can flood the flat file log with false messages.<br />

Flooding the flat file log<br />

Public classes and static methods<br />

The Logging Application Block exposes interfaces that allow you to log messages<br />

to a flat file. An attacker can use these interfaces to flood the flat file<br />

with false messages. This can constitute a denial of service attack. In addition,<br />

log messages in the flat file may contain sensitive information.<br />

Check the hard disk space to see if it has reached its threshold limit, which<br />

controls how many messages can be in the file. If the flat file has reached<br />

its limit, generate an exception. The application should appropriately handle<br />

this exception. Also, the application should include code that uses an<br />

instance of the FileIOPermission class. Finally, the administrator should assign<br />

the appropriate ACLs to the event log for read/ write operations.<br />

continued

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!