Security and Attack Mitigation¶
Parameterized Command Strings¶
All Colectica products that interact with a database and use user input do so in a secure fashion.
A SQL command string that is built from user input is vulnerable to SQL injection attacks. In a SQL injection attack, a malicious user supplies input that alters the design of a query in an attempt to damage or gain unauthorized access to the underlying database. Typical techniques include injection of a single quotation mark or apostrophe, which is the SQL literal string delimiter; two dashes, which signifies a SQL comment; and a semicolon, which indicates that a new command follows. Since user input must be part of many Colectica queries, all Colectica database access uses parameterized command strings to eliminate the risk of attack.
Anti-Cross Site Scripting Library¶
Colectica Portal uses the Microsoft Anti-Cross Site Scripting Library to protect users from Cross-Site Scripting (XSS) attacks.
XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
- Colectica uses the Microsoft Anti-Cross Site Scripting library to prevent XSS attacks.
- Colectica limits the display of user created content to information created by authenticated users.
- Colectica supports a read-only view of Colectica Portal, eliminating all web user generated content.