on Apr 12th, 2007Web Application Security – Part 1
Making web apps secure has been an effort ever since the advent of web
applications. The strange mix of technologies interwoven with the complexities of each one of them hasn’t encouraged the setting up of standards for these. Scripting hacks, Cookie hacks, cross site scripting, malicious users and other common problems plague web applications. If all these aren’t enough, you have denial of service and other scalability problems. There are just a handful of best practices and tips that you could follow to make your web applications more secure. I shall list some elements down from my experiences.
1. Validate all data that goes that goes to the server
Make sure you validate all the data that goes through the browser, it could be forms you are submitting with critical data or some event like clicking a link. Make sure your dataset that the server receives is what it is intended to receive. In case of bot threats, use captcha’s and simple questions that require human intelligence and natural language processing. By validating data, you are just saving yourself that many less attacks on your server.
2. Use your JS wisely
I have seen a lot of apps currently using a wealth of js libraries, and since your js needs url to access, the XMLHttpRequest object with its url is wide open for the entire world to see. You dont even need to look at the source , with a sniffer like firebug, you can see all the async requests made, with the url and the response. Scripting attacks are the most prevalent of the security attacks and people can do wonders with malicious scripts. The trick here would be to confuse the hackers. Obfuscate the scripts wherever you can, there are good JS obfuscating libraries available. Be advised , obfuscation is usually irreversible , so use it wisely. Use POST instead of GET for async requests and make sure its the right person requesting the data. You could probably generate a sessionid of sorts on the server end and pass it to the browsers as a key to use for any further requests. And please, don’t rely on cookies, they can only go this far.
3. Follow the MVC methodology
it usually helps in abstracting the finer points of the application. Separating out the data, logic and accessibility will usually give you more control on what goes where and a lot of server side validation.
4. SQL Injection
I understood the complexity behind these attacks only recently. A seemingly simple line of DB code could prove disastrous for applications. Always use good wrappers around your db code. Many good SQL Helper libraries help you against such attacks and the overhead is adding another server side library, which is not so big considering it can save your application.
There is also the new generation of security threats thanks to Ajax and is open ways. But there are safer alternatives being developed like JSONRequest which abstracts the JSON based calls and provides a safe way of making sync calls.
I shall write more about web based security when I get time.
