RE: Re: Web Application Security

["Marco M. Morana" <marco.m.morana () gmail com>]

Just to make sure you are not focusing only on input validation issues (XSS,
XFS and SQL injection) you should take your time for due diligence and
perform an ethical hack (web application penetration testing) of your web
application and fix the vulnerabilities before putting your site live (in
production)

Look at the OWASP testing guide as a reference of potential vulnerabilities
that you need to validate your site to.
http://www.owasp.org/index.php/Category:OWASP_Testing_Project

This includes besides input validation, also session management, data
protection, safe error handling and logging, authentication and
authorization vulnerabilities and least but not last application
configuration vulnerabilities. 

Regarding the previous email recommendations 1) anyone visiting your site is
an automated bot/site/spider.. you can implement CAPTCHA to make sure a
human is behind visiting your site when entering information that does not
require authentication but that can be potentially being fed by a
bot/site/spider/ 

On the issue of invalidated parameters make sure you are not just validate
GET POST parameters for unsafe scripting and SQL commands on the client side
(using client javascript) but on the server side before processing the data
on the back end or even the web server. Web client input validation can be
bypassed with a proxy and is more a deterrent control than anything else.

On the logging and auditing besides making sure what to log be careful to
protect the logs as well from tampering, restrict access to log to admins
and make sure you know what not to log such as user confidential user
information such as PII, SSN etc.

Marco Morana
OWASP Cincinnati Chapter Leader
http://www.owasp.org/index.php/Cincinnati
http://securesoftware.blogspot.com




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jason.gerfen () gmail com
Sent: Tuesday, January 22, 2008 1:38 PM
To: security-basics () securityfocus com
Subject: Re: Re: Web Application Security

Well if you are worried about XSS and SQL attacks within your web
application teach yourself to write secure code. Some things you might want
to consider prior to accepting any user input through the use of forms or
URL passed variables with the GET method:


1. Anyone visiting your site is potentially an automated bot/spider/web
based attack.

2. Any URI/URL/Form based input strings should be
validated/sanitized/scrutinized prior to processing.


Depending on the language(s) you are using to generate your web
site/application just make sure you are performing validation on the URL GET
variables as well as any POST variables being passed to your scripts/pages.


I hope this helps. If you are limited with the web server/hosting solution
where log monitoring and intrusion detection services are managed by the
host, your web application can perform its own sanity checks and should be
doing these types of checks anyways.