|
|
Writing secure web application
Posted On September 21, 2007 by Sneha Philipose filed under Internet
Web application attacks are increasing day by day. It’s easy and does not require much knowledge about OS internals or assembly or any such stuff. So you can see many vulnerabilities coming out daily like sql injection, XSS etc etc.
This kind of attacks are easy and hence someone with the basic knowledge about it can easily play with your web application.
Let’s see some of the common attack techniques and what you can do to prevent them in web applications:-
1) Sql Injection:- it is the favourite topic of any attacker. First thing they try to do is running the queries which was not intended to run by your programmer. To protect from the sql injection attacks you need to sentinaize the data properly. Remove any unwanted characters like ‘ etc.
2) XSS or Cross Site Scripting:- It is another common attack. It simply means using the combination of java script and html tags to perform and execute the code which was not intended to run. With this kind of attacks someone easily phish the data, can redirect you to different place, execute malicious scripts etc. to protect from such attacks you need to filter out any malicious character like “<script>”,”< “ etc.
3) Query strings:- You have seen some URL strings like http://www.test.com/shop.aspx?item=3&catagory=24 or so. This are called query string. These strings are used to generate various results. So if you use such string and does not verify the data then it may be possible this can lead to potential vulnerabilities like sql injection or cross site scripting.
4) Cookie and session management:- We also need to make sure we handle the cookie and session stuff carefully. Some programmer made simple mistakes like storing the passwords in plain text format in cookie etc etc.
5) Client Side validation:- This is another mistake programmers make. You can not relay on the client to enter the correct data. You need to make sure on server side that the data which come will be validated properly on server side.
6) Hidden Fields:- This is the worst mistake programmers make. In some site programmer store the price or quantity in the hidden variables. This is very dangerous situation. Someone with basic knowledge of html can easily manipulate this. So better avoid putting critical data in the hidden variables.
7) Access control:- You need to make sure that there is no direct access to configuration files. Also you need to check the things like path traversal file inclusion path verification and should not provide unnecessary permission to any file.
8) Password management:- Never store the password in clear text. Always encrypt it with some string encryption algorithm. One more mistakes programmers make is they use their own encryption algorithms. This is not good as someone with free time can easily break the schema. It is better to use the industry standard algorithms rsa, blowfish etc.
9) Privileges:- Always run your database server, applications with the least privilege accounts. In no case run it with super user permissions. Also change the default passwords on database servers, program installations.
10) Installation files:- If you are using some commercial application then don’t forget to remove the installation files from the server.
11) Safe failure:- Always use proper error handlings. Try to show a safe error message rather then showing a default error message which shows the internal details of your application.
I hope these guidelines will be helpful for you test the security of your web applications.
-Hardik Shah
www.infys.net
This kind of attacks are easy and hence someone with the basic knowledge about it can easily play with your web application.
Let’s see some of the common attack techniques and what you can do to prevent them in web applications:-
1) Sql Injection:- it is the favourite topic of any attacker. First thing they try to do is running the queries which was not intended to run by your programmer. To protect from the sql injection attacks you need to sentinaize the data properly. Remove any unwanted characters like ‘ etc.
2) XSS or Cross Site Scripting:- It is another common attack. It simply means using the combination of java script and html tags to perform and execute the code which was not intended to run. With this kind of attacks someone easily phish the data, can redirect you to different place, execute malicious scripts etc. to protect from such attacks you need to filter out any malicious character like “<script>”,”< “ etc.
3) Query strings:- You have seen some URL strings like http://www.test.com/shop.aspx?item=3&catagory=24 or so. This are called query string. These strings are used to generate various results. So if you use such string and does not verify the data then it may be possible this can lead to potential vulnerabilities like sql injection or cross site scripting.
4) Cookie and session management:- We also need to make sure we handle the cookie and session stuff carefully. Some programmer made simple mistakes like storing the passwords in plain text format in cookie etc etc.
5) Client Side validation:- This is another mistake programmers make. You can not relay on the client to enter the correct data. You need to make sure on server side that the data which come will be validated properly on server side.
6) Hidden Fields:- This is the worst mistake programmers make. In some site programmer store the price or quantity in the hidden variables. This is very dangerous situation. Someone with basic knowledge of html can easily manipulate this. So better avoid putting critical data in the hidden variables.
7) Access control:- You need to make sure that there is no direct access to configuration files. Also you need to check the things like path traversal file inclusion path verification and should not provide unnecessary permission to any file.
8) Password management:- Never store the password in clear text. Always encrypt it with some string encryption algorithm. One more mistakes programmers make is they use their own encryption algorithms. This is not good as someone with free time can easily break the schema. It is better to use the industry standard algorithms rsa, blowfish etc.
9) Privileges:- Always run your database server, applications with the least privilege accounts. In no case run it with super user permissions. Also change the default passwords on database servers, program installations.
10) Installation files:- If you are using some commercial application then don’t forget to remove the installation files from the server.
11) Safe failure:- Always use proper error handlings. Try to show a safe error message rather then showing a default error message which shows the internal details of your application.
I hope these guidelines will be helpful for you test the security of your web applications.
-Hardik Shah
www.infys.net