Security and Attack Mitigation

Parameterized Command Strings

All Colectica products that interact with a database and use user input do so in a secure fashion.

A SQL command string that is built from user input is vulnerable to SQL injection attacks. In a SQL injection attack, a malicious user supplies input that alters the design of a query in an attempt to damage or gain unauthorized access to the underlying database. Typical techniques include injection of a single quotation mark or apostrophe, which is the SQL literal string delimiter; two dashes, which signifies a SQL comment; and a semicolon, which indicates that a new command follows. Since user input must be part of many Colectica queries, all Colectica database access uses parameterized command strings to eliminate the risk of attack.

Anti-Cross Site Scripting Library

Colectica Portal uses the Microsoft Anti-Cross Site Scripting Library to protect users from Cross-Site Scripting (XSS) attacks.

XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

  • Colectica uses the Microsoft Anti-Cross Site Scripting library to prevent XSS attacks.

  • Colectica limits the display of user created content to information created by authenticated users.

  • Colectica supports a read-only view of Colectica Portal, eliminating all web user generated content.