If you are not familiar with the concept of CSV Injection, we suggest that you review the article entitled “What is Information Leakage ?“.
If you are not familiar with how to detect CSV Injection, we suggest that you review the article entitled “How To Test for Information Leakage“.
You can protect your application and organization against Information Leakage in two ways:
- Define the Problem: Develop Secure Coding Policies that defines “application-sensitive information” and expresses your expectations
- Ensure Awareness: Sensitize your developers and testers to what “application-sensitive information” means and how to detect it.
- Verify Compliance: Include Information Security testing in your Quality Assurance (QA) or Security Testing development phase
Steps to Prevent Information Leakage By Your Application
- Ensure that your web-server Banner is not overly-informative. That is, change the “banner” content to mislead an attacker.
- Code Review your page source, active server pages, and supporting files to ensure they are free of “application-sensitive” information that would be included in results.
- Define one or more Error Pages that will be displayed in the event Exceptions are raised. One must be a “catch all” that is displayed if an un-handled exception occurs.
- Verify that debugging is disabled in production and cannot be enabled through request parameters.
- Test for Account Enumeration as part of your QA or security testing
- Ensure that Web Browsers are instructed not to cache responses containing sensitive information
- Ensure that Session and Authentication cookies are always transferred securely
- Recognize when your application is under attack and respond aggressively by logging the event, delaying the response, and terminating the session.
Steps to Prevent Information Leakage By Your Organization
- Establish a Social Media Policy for employees that defines and restricts what can be shared about the organization and its technology
- Sensitize developers to what information can and should not be shared on technical bulletin boards/services
- Sensitize managers to what technology information can and should be shared with regard to recruiting
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.