Sixth month at IFS

During this period of 4 weeks we were able to complete implementing most of the required functionalities of the system which includes authentication, security, error handling framework. By the end of this period we were able to start the testing and bug fixing phase of the project. By doing that I was able to gather some knowledge on web application security and as well sharpen my knowledge about ASP.Net, C# and PLSQL.

I studied about the Global.asax file which is used to establish global objects that a web application uses. It can be used to handle events for the session and application objects. The authentication mechanism is implemented in the Session_Start event of that file. The security mechanism has been implemented to get the currently logged in user to the Corpnet from the LDAP (Lightweight Directory Access Protocol) directory, and then to get the User Role using the LDAP user. I used Admin tool of IFS Applications to configure the user roles to the users of the system.

We changed all the SQL queries in the DAL in order to prevent the SQL injection. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application, which occurrs when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used, or user input must be carefully escaped or filtered. I made an DataServiceBase class method which accepts SQL statement as a string and the parameters as a string array, which binds the parameters later to the SQL statement.

We changed the sql queries in the data access layer to use the views rather than using the tables because it will enable restrict the privileges to different views for different users. Also we changed the sql statements in the DAL to get the appowner of the views. We can prevent the views being accessed by making restrictions on access to particular user roles.

During this time period we tested the system and fixed some errors. We discussed about the required privileges and noted down the privileges which should be corrected. I solved a problem of going into a page of another user role by typing the URL. Also the problem of going back after logging out was solved by me. We solved some problems regarding Exam section, Results section and Certification section. We created a new method in the DataServiceBase class in order to run a plsql procedure without checking the privileges which was then used to execute procedures without checking the privileges.

We made the error handling in the User Interface layer, in order to prevent unhandled exceptions being thrown. We made the code to throw the TrnexmExceptions from the business logic layer, after catching the exceptions which are thrown by the data access layer, in order to give user friendly error messages. To prevent the security threats by sending parameters in the querystring, we removed the query string variables. The solutions were to use the session variables with the Server.Transfer method.

Apart from those things I had to help the other trainees, who were asked to test our system, in order to get them familiarized with the system and the database tables. I explained them the functionality of the system. Especially we had to test the new publish of the site with the link http://cmbdevtech1/ with the Devtec database.