Security Basics mailing list archives
RE: Re: Web Application Security
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Tue, 22 Jan 2008 18:46:13 -0500
Just to make sure you are not focusing only on input validation issues (XSS, XFS and SQL injection) you should take your time for due diligence and perform an ethical hack (web application penetration testing) of your web application and fix the vulnerabilities before putting your site live (in production) Look at the OWASP testing guide as a reference of potential vulnerabilities that you need to validate your site to. http://www.owasp.org/index.php/Category:OWASP_Testing_Project This includes besides input validation, also session management, data protection, safe error handling and logging, authentication and authorization vulnerabilities and least but not last application configuration vulnerabilities. Regarding the previous email recommendations 1) anyone visiting your site is an automated bot/site/spider.. you can implement CAPTCHA to make sure a human is behind visiting your site when entering information that does not require authentication but that can be potentially being fed by a bot/site/spider/ On the issue of invalidated parameters make sure you are not just validate GET POST parameters for unsafe scripting and SQL commands on the client side (using client javascript) but on the server side before processing the data on the back end or even the web server. Web client input validation can be bypassed with a proxy and is more a deterrent control than anything else. On the logging and auditing besides making sure what to log be careful to protect the logs as well from tampering, restrict access to log to admins and make sure you know what not to log such as user confidential user information such as PII, SSN etc. Marco Morana OWASP Cincinnati Chapter Leader http://www.owasp.org/index.php/Cincinnati http://securesoftware.blogspot.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jason.gerfen () gmail com Sent: Tuesday, January 22, 2008 1:38 PM To: security-basics () securityfocus com Subject: Re: Re: Web Application Security Well if you are worried about XSS and SQL attacks within your web application teach yourself to write secure code. Some things you might want to consider prior to accepting any user input through the use of forms or URL passed variables with the GET method: 1. Anyone visiting your site is potentially an automated bot/spider/web based attack. 2. Any URI/URL/Form based input strings should be validated/sanitized/scrutinized prior to processing. Depending on the language(s) you are using to generate your web site/application just make sure you are performing validation on the URL GET variables as well as any POST variables being passed to your scripts/pages. I hope this helps. If you are limited with the web server/hosting solution where log monitoring and intrusion detection services are managed by the host, your web application can perform its own sanity checks and should be doing these types of checks anyways.
Current thread:
- Web Application Security mahendra_yn (Jan 22)
- Re: Web Application Security Jason Thompson (Jan 22)
- <Possible follow-ups>
- Re: Re: Web Application Security jason . gerfen (Jan 22)
- RE: Re: Web Application Security Marco M. Morana (Jan 23)
- Re: Web Application Security wer90 (Jan 22)