Peter's Input Security provides a formidable defense against SQL Injection, Script Injection (Cross Site Scripting), Input Tampering, and Brute Force attacks on your ASP.NET web sites.

Microsoft and many others have been discussing the ways you can prevent and neutralize these attacks. At conferences and in articles, the solution seems simple enough: use a validator to block the attack and neutralize with HtmlEncode and parameterized database calls. As each programmer investigates these tools and reads more on the subject, it becomes clear that much more needs to be done, costing time and requiring experience to implement a full solution. PeterBlum.com has spent the time and research for you, building a comprehensive toolkit into Peter's Input Security.

Feature Highlights

• Protects visible fields, hidden fields, query string parameters, and cookies
• Block access to pages that have received multiple attacks to slow the hacker down and reduce the resources used
• Log attacks in great detail. Also can log your site's exceptions and other errors. It can notify you through email.
• Security Analysis Report provides a full audit of each page's inputs and their security settings. It even recommends how to improve your security.
• Each field can have its own rules for allowing certain HTML tags or SQL-like statements.
• Provides tools to neutralize attacks that are not caught by validators.
• You can customize the rules for detecting attacks.

A Far Better Defense

Microsoft provides some validators, the ValidateRequest property, and parameterized calls to your database. This has been promoted as a solid defense against hackers. What makes Peter's Input Security so much better?

A formidable input security system covers these aspects of security: Knowledge, Auditing, Detection, Logging, Blocking, Neutralization, and Impeding.

Peter's Input Security addresses all of these and goes far deeper in detection, blocking and neutralization.

For example, while parametermized calls to your database can neutralize SQL Injection, here is what Peter's Input Security adds:

• Validators only handle visible fields on your page. You have no defenses against attacks through hidden fields, query strings and cookies.
• Monitor attacks with the detection and logging capabilities of the FieldSecurityValidator and PageSecurityValidator. You can even be emailed as an attack is happening, with a detailed description of the attack used.
• You can defend against repeated attacks with the Slow Down Manager. It impedes access to your pages and frustrate the hacker
• There are no validators for free-form textboxes with the validators Microsoft supplies. The FieldSecurityValidator can block these attacks. By blocking, you limit the amount of garbage added to your database and reduce resources lost to attacks
• Its SQL Detection Engine is far more powerful than any regular expression that you use within a RegularExpressionValidator. It has algorithms to distinguish SQL statements from human language and to detect common hacking patterns.

 Tell me more 

The Security Toolkit

Peter's Input Security provides a rich and flexible toolkit that gives you a serious system to protect your web site. It has powerful validators to catch injection attacks, a logging system to track attacks, and several ways to impede hackers. Its tools protect visible fields, hidden fields, cookies and query strings.

Here are the tools supplied with Peter's Input Security:

• FieldSecurityValidator - A validator for visible controls where you can set attack detection rules and error messages on a field-by-field basis
• PageSecurityValidator - A validator for all inputs on the page. Use it to set rules on hidden fields, query string parameters, and cookies.
• Security Analysis Report - An audit of all the page's inputs and their security settings
• Log And Respond Engine - Log and email attacks, exceptions, and errors on your site
• Methods to Help Neutralize Inputs
• TextLengthSecurityValidator - A validator that reports errors when text exceeds a maximum. It looks at text after it is neutralized which causes it to grow.
• Slow Down Manager - Block access to a page after a number of attacks
• SQL and Script Detection Engines - Powerful and customizable algorithms that detect SQL and Script Injection attacks.

 Explain them in detail 

The Realities Of Implementing Security

The hacker community has the skills, tools, and motivation to attack your site until they find a hole. You may be looking at Peter's Input Security as the fast way to secure your site against hackers. You certainly can drop its validators onto your pages, change a few settings, and feel like you've blocked them. That does not make your site secure. Validation, logging, impeding, neutralizing, and a full audit of your page's inputs all contribute to a secure site.

Each of your page's inputs have their own data entry requirements. Some permit certain HTML tags. Some need to allow SQL keywords because they appear in human language. Some may need a friendly validation error message to assist users. Others need to redirect the user to another page and block them from doing it again. Unfortunately, there is no software that instantly knows the rules of all your inputs. (That would be the "Holy Grail" of input security.)

It takes time to implement security correctly. Be prepared for that.

Peter's Input Security has been designed to give you the security that works correctly for you. Its tools are feature rich, flexible, well researched, and tested. You don't have to spend weeks of research and development anymore. Its documentation provides step-by-step guidance for setting up your site. The result is that you will have excellent security in far less time.

If you are purchasing modules, the Peter's Professional Validation module is required. The Peter's More Validators module is recommended but not required.

 Questions? Email Peter at PLBlum@PeterBlum.com