Attackers want to deface your website. They want to hack it
just because it is there. If you deal in money, vital infrastructure, or
controversial services you know you are a target. If your site is modest or you
just have high speed “always on” internet at home you can also be targeted by
script kiddies with more software than brains, or you can be used as a pawn by
a more sophisticated attacker in a complex attack.
Web applications offer a variety of new openings to attackers.
Common web application attacks include:
- HTML
and SQL injection
- Cross
session scripting
- Session
hijacking, impersonation, and replay attacks
- Dictionary
attacks against your passwords
- Stolen
databases compromising passwords and credit cards
- Denial
of Service and Distributed Denial of Service attacks
- Operating
system, stack overflow, virus and email attacks.
Defending your applications requires a consistent,
comprehensive strategy:
- Sanitize
user input on the server before using it to drive logic, SQL input, or
display. Sanitize means filter out unnecessary characters and use
URLEncode or HTMLEncode as appropriate.
- Request
headers, hidden fields, URL’s and cookies are not secure. They can be
viewed and edited. They need to be sanitized like other user input.
- Protect
session integrity with SSL. Associate an IP address with a session, don’t
allow hijackers. Let your user logoff and terminate idle sessions after 15
minutes.
- Encrypt
your databases so they can’t be read outside the DBMS software. Store databases
outside the directory containing your pages. Protect connect strings just
as securely as you protect the database.
- Protect
passwords with assymetric encryption in transit and then hash and salt
it in the database. Use only one message to reply to bad combinations
of password and id.
- Lock
out user id’s for 15 minutes in the event of 5 unsuccessful attempts. Send
an email to the registered user. Reset passwords through email to the
registered user.
- Use
database security measures to further protect your data. Only allow access
to the database through stored procedures. Use a database id that only
allows execute privileges on the procedures used by your application. Use
a separate database id with full privileges to administer the database.
- Eliminate
default admin and other known accounts in your software (e.g. sa in SQL
Server, system in Oracle, admin in Access)
- Don’t
give any user more than the minimum privilege he needs
- Consider
that users might try to manually spoof your URL and querystring data.
Make sure they can't stumble across any information you don't want them
to have.
- Handle
error messages and don’t display programming details in error responses
- Protect
access to your web server files carefully. FTP and database access must be
protected with strong passwords and encryption.
Make sure your hosting provider applies
appropriate vendor patches to the operating system, database, web server
and any other software involved in delivering your application, in a
timely manner. Often this involves response within twenty-four hours of
notification. For hosted applications, a responsible hosting provider will
apply these patches. Specify appropriate responsiveness in any Service
Level Agreement.
Security is a state of mind. In addition to these standards
the usual common sense rules for users apply to web applications just like
other mission critical applications. Change your passwords, use strong
passwords, protect your passwords and sessions.
Consencis web applications implement this security
outline. We can’t assure that you’ll never be hacked but we can make your site
a much harder target.