Attackers want to deface your website. They want to hack it just because it is there. If you deal in money, vital infrastructure, or controversial services you know you are a target. If your site is modest or you just have high speed “always on” internet at home you can also be targeted by script kiddies with more software than brains, or you can be used as a pawn by a more sophisticated attacker in a complex attack.

Web applications offer a variety of new openings to attackers. Common web application attacks include:

1. HTML and SQL injection
2. Cross session scripting
3. Session hijacking, impersonation, and replay attacks
4. Dictionary attacks against your passwords
5. Stolen databases compromising passwords and credit cards
6. Denial of Service and Distributed Denial of Service attacks
7. Operating system, stack overflow, virus and email attacks.

 

Defending your applications requires a consistent, comprehensive strategy:

1. Sanitize user input on the server before using it to drive logic, SQL input, or display. Sanitize means filter out unnecessary characters and use URLEncode or HTMLEncode as appropriate.
2. Request headers, hidden fields, URL’s and cookies are not secure. They can be viewed and edited. They need to be sanitized like other user input.
3. Protect session integrity with SSL. Associate an IP address with a session, don’t allow hijackers. Let your user logoff and terminate idle sessions after 15 minutes.
4. Encrypt your databases so they can’t be read outside the DBMS software. Store databases outside the directory containing your pages. Protect connect strings just as securely as you protect the database.
5. Protect passwords with assymetric encryption in transit and then hash and salt it in the database. Use only one message to reply to bad combinations of password and id.
6. Lock out user id’s for 15 minutes in the event of 5 unsuccessful attempts. Send an email to the registered user. Reset passwords through email to the registered user.
7. Use database security measures to further protect your data. Only allow access to the database through stored procedures. Use a database id that only allows execute privileges on the procedures used by your application. Use a separate database id with full privileges to administer the database.
8. Eliminate default admin and other known accounts in your software (e.g. sa in SQL Server, system in Oracle, admin in Access)
9. Don’t give any user more than the minimum privilege he needs
10. Consider that users might try to manually spoof your URL and querystring data. Make sure they can't stumble across any information you don't want them to have.
    
11. Handle error messages and don’t display programming details in error responses
12. Protect access to your web server files carefully. FTP and database access must be protected with strong passwords and encryption.

Make sure your hosting provider applies appropriate vendor patches to the operating system, database, web server and any other software involved in delivering your application, in a timely manner. Often this involves response within twenty-four hours of notification. For hosted applications, a responsible hosting provider will apply these patches. Specify appropriate responsiveness in any Service Level Agreement.

Security is a state of mind. In addition to these standards the usual common sense rules for users apply to web applications just like other mission critical applications. Change your passwords, use strong passwords, protect your passwords and sessions.

 

Consencis web applications implement this security outline. We can’t assure that you’ll never be hacked but we can make your site a much harder target.