In this post I like to share some important facts I recently learned related to Secure Web Application Development. An expert in Secure Web Application development/Web Application Secure assessment will see these tips trivial, but I really hope they are important for those who are new to Web Application Development.
Common Web Application Security Flaws
Flaws in web applications can be divided into two main types.
- Design Flaws
- Implementation Flaws
Examples for a design flaw may be badly designed authentication scheme/session management scheme. Implementation flaws occur when a designed web application is implemented. Improper user input validation is an example for an implementation flaw. These two types has a close relationship because there is no use of secure implementation if the design is insecure and vice versa. So, developers should pay their attention on both design and implementation security.
A well-known and widely accepted guideline for Web Application security is OWASP Top 10. OWASP Top 10 describes the 10 most critical Web Application Vulnerabilities and mitigation mechanisms. If you are willing to develop a secure web application, OWASP Top 10 is a really important guideline that you are advised to follow. You can refer to Implementation guidelines given in OWASP Top 10 project to mitigate most of these issues in implementation phase. According to 2013 documents, OWASP describes its Top 10 Vulnerabilities as follows.
- Injection Flaws (SQL, LDAP, OS Command etc.)
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Missing Function level access control
- Cross Site Request Forgery
- Using known vulnerable components
- Unvalidated redirects and fowards
You can visit OWASP Web site for massive amount of resources related to mitigate above vulnerabilities. But I would like to describe some generic tips to follow when you are developing web applications.
Tips for client side scripting
- If you have comments in your HTML markup, check whether any sensitive information is stored in comments.
- If you use hidden form fields in HTML Forms, do not send sensitive or critical information inside hidden fields since hidden fields can be manipulated by client.
Tips for getting user inputs
- Never trust user inputs given to the web application through a browser. Look for input data and strip out unnecessary strings such as HTML Tags, ;, –, #, /, \ etc.
- In some cases you might accept inputs containg those dangerous characters, but if you accept those kind of inputs be carefull when you display strings containg them in browser and using those strings in server side scripts. You can use HTML encoding when displaying dangerous strings and if you use them inside database queries, use parameterized database queries to prevent injection attacks. See more about data validation here at OWASP.
- If your web application has file upload facility, limit users uploading files with arbitrary file types and sizes and carefully implement mechanisms if you let other users read those uploaded files to prevent malicious file execution on server.
Tips for authentication/authorization and session management
- Force users set complex passwords/passphrases including numbers, lowercases, uppercases, special characters etc and define a minimam length for passwords to prevent users setting trivial passwords. Never store users passwords in plaintext or unsalted. Always use a secure password storage mechanism. Further, Do not give explicit messages when login failed such as “Username incorrect”, “Password incorrect” rather give a message like “Login Failed”, “Incorrect username or password” etc.
- When a user request for a resource such as a file or a page, always validate user for authenticity and authority to use that resource.
- When storing session details on client side via cookies, always set cookies with HTTP ONLY flag set to prevent cookie theft via Cross Site Sripting. Set cookies which expire in short period of time if not necessary.
- The golden rule in Web Application Security is, you should never trust user inputs. Always use input validation and sanitization mechanisms to filter user inputs. Both client side validation (in browser) and server side validation should be properly implemented for best security.
- Never send sensitive parameters to the Web Server through URL (GET requests). Keep in mind that URL parameters are always manipulated by an attacker and easily visible to anyone just with the browser.
- Try to use a well known secure framework (ex:- Zend framework for PHP) to develop your applications on top of. It prevents most of the mistakes you make if you write the application from scratch.
- Use secure libraries (such as OWASP ESAPI) to develop core security mechanisms such as authentication schemes, session management schemes. And also using a proper library to sanitize user inputs (such as HTML Purifier, Zend/Symfony, Microsoft AntiXSS) is better since raw implementation of sanitization may most probably create security holes.
- Always check whether external software components you use are up-to-date. Using old components is highly insecure because there may be known vulnerabilities in those components that exploits are available for.
- Use an interception proxy such as Fiddler/BurpSuite/Zed Attack Proxy and monitor how/what requests are sent and how/what responses are received. Using such a proxy you can attack your application and try to findout security issues in both implementation and design.
Tools to test your web application’s security
- Burp Suite Interception Proxy
- Zed Attack Proxy (ZAP)
- Web Application Security Addons for firefox