SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Secure web application development

    I just thought I'd remind everyone that the security of your web applications (on all levels) is something that you should be paying a LOT of attention to, so here's a great site which pretty much covers all the bases - go through their 10-point list and see what you've missed out, then download & read the PDFs they have produced (for YOUR pleasure)...

    http://www.owasp.org/
    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!

  2. #2
    Bangarang! Karloff's Avatar
    Join Date
    Mar 2003
    Location
    Manchester, United Kingdom
    Posts
    236
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I also stumbled across that site 2-3 weeks ago though I didn't bother looking beyong their recommendations. Did you actually use WebScarab or any of their other tools for automated security testing?
    Karl


    I'm desperately trying to figure out why Kamikaze pilots wore helmets. - George Carlin

  3. #3
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've been to that before, but I can definately vouch for this floor tho...
    Buffer Overflows

    Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
    With fast-perl, (fcg) you have to overload the server, DOS or DDOS attack the server, and once it comes up with an internal server error, goto www.myserver.com/cgi-bin/ and it will grant you administrative privaleges based on your ip address.

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Location
    center pixel
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What other tools do you recommend for testing the security of a site?

    Thanks,

    James
    Everything is going as planned...now where is that ball of twine.

  5. #5
    Bangarang! Karloff's Avatar
    Join Date
    Mar 2003
    Location
    Manchester, United Kingdom
    Posts
    236
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by devtech
    What other tools do you recommend for testing the security of a site?
    I follow best practices and always try to be aware of potential security risks while coding. This, of course, requires staying upto date on security holes on your platform of choice.

    As I mainly work on Windows now, with IIS, ASP and SQL 2000 or MS Access, I can only suggest a few tools and resources which might be useful to other Windows web developers.
    • IIS_PROMISC - simple to use IIS auditing tool written in Perl.
    • MS Baseline Security Analyser - basically scans your system for missing or outdated security patches of installed products incl. Win OS's, IIS, SQL Server, Exchange et al. Very useful IMO!
    • also use IISLockdown and URLScan as preventive measures if you're running < IIS 6.0!
    An interesting read for Microsofties is Securing Windows 2000 Server though I haven't applied or tried most of their guidelines as my apps are usually outsourced to a hosting provider.

    Last but not least, here is the page where you can find a plethora of Microsoft related security resources and tools - as they are serious about security now, and I trully do believe them!



    Rant: Actually, I think most bad press and reputation about Windows security simply comes from the fact that there is an overwhelming amount so-called Windows Administrators who use Windows on their PC and assume they know its ins and outs after a few months clicking around. Needless to say, they will likely leave most doors open or even sprinkle out invitiations for potential intruders. And when it is too late, you can always blame Windows [img]images/smilies/rolleyes.gif[/img]. *NIX users on the other hand, are usually more apt with their systems internals and thus these systems are likely to be configured properly against most common attacks. Either way, I just wanted to share my opinion on Windows as I, for one, know that I am not a Windows Administrator though I have used Windows and its advanced features for well over 5 years now - and still my net PC could be easilly hacked (I am sure).


    Edit: Oh, forgot to mention a crucial part in security testing: the best test of all is to unleash your application to the scrutiny of your users and monitor it actively and continuously. This includes checking webserver log files, event log files, database log files, any other related log files and of course your applications log files for any inconsistencies or abnormal usage patterns. You can either pursue proactive (defensive) measures automatically by alerting users who are trying to tamper your system, blocking their IP, contacting their ISP etc, or you can manually asess the risk of any abnormalities. Either way, always be on your toes if you are running the server [img]images/smilies/smile.gif[/img]
    Karl


    I'm desperately trying to figure out why Kamikaze pilots wore helmets. - George Carlin

  6. #6
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Needham, MA
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here are a few good tips:

    -- Make sure that whenever a user can submit data that's used in a query (via a form variable, URL variable, or anything else) that you ensure that any numeric values are definitely cast as numeric values so that they don't contain malicious SQL statements. If you don't, someone can pass in a supposedly numeric variable such as "43; DELETE FROM users" that you would send right to your db.

    -- Make sure that error statements on your site are user-friendly but don't give the user information about your filesystem or database. Malicious users will use this information to help breach your system faster.

    -- This is a simple one, but make sure that you don't store your database in your web root. Users who guess at or otherwise identify the URL for it can download it at will.

    -- Conversely, don't let users upload files into the web root, either. They can upload malicious programs and then execute them on your server by calling them via URL. You can prevent this by configuring your MIME types correctly so that programs are downloaded instead of executed.

    -- Make sure that all of your SQL queries which deal with user-level information contain code which limits the scope of the activity to that user's account. For instance, if you have a form which lets users edit, say, a product description by passing a product ID, if you don't use the phrase "WHERE userID = [this user's ID]", they could just edit any product they wanted by passing the correct product ID in the FORM or URL string.
    Tom Mollerus
    tmollerus@oneworkspace.com
    http://www.oneworkspace.com The affordable, simple, and secure way to manage your projects online

  7. #7
    Bangarang! Karloff's Avatar
    Join Date
    Mar 2003
    Location
    Manchester, United Kingdom
    Posts
    236
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Along the lines of the previous post from oneworkspace, here is M@rco's excellent thread on SQL injection and how to prevent it.

    Though maybe we should focus back to security testing, be it manual or automated, rather than mentioning preemptive measures for coding and server setup. I would definately like to know how others perform their application security analysis (all the more if they do it in a semi-automated manner as I am lazy sod ).
    Karl


    I'm desperately trying to figure out why Kamikaze pilots wore helmets. - George Carlin

  8. #8
    S1tepoint Surfer drochili's Avatar
    Join Date
    Aug 2002
    Location
    Mississauga, Canada
    Posts
    466
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  9. #9
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm glad that my post has stimulated some good discussion... keep going!

    Karloff - that's an interesting theory about Windows vs *nix... and it makes a LOT of sense...!
    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!

  10. #10
    ☆★☆★ silver trophy vgarcia's Avatar
    Join Date
    Jan 2002
    Location
    in transition
    Posts
    21,235
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by M@rco
    I'm glad that my post has stimulated some good discussion... keep going! [img]images/smilies/biggrin.gif[/img]

    Karloff - that's an interesting theory about Windows vs *nix... and it makes a LOT of sense...!
    I agree with your theory too Karloff. You have the too-easy MCSE test for Windows NT 4.0 to thank for that . Apparently, subsequent tests have gotten much more difficult though.

  11. #11
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,267
    Mentioned
    116 Post(s)
    Tagged
    1 Thread(s)
    Could it be partially that Unix still work heavily in command line-mode (or at least the ones I know do) vs the point & click mentality of the Windows folk?

    Having to be command line driven makes you pay more attention than just pointing & clicking.
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  12. #12
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Perhaps, but whether point'n'click or command-line, the fundamental difference between the two OSes is that with *nix you need a much deeper working knowledge of how everything works to be able to get it up and running, whereas Windows encourages ignorance of the underlying configuration details and mechanics by shrouding them in "Advanced" dialogs and wizards...

    Thus, your average *nix user understands far more about how his OS is configured and how things interact than your average Windows user...
    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •