Secure web application development

[MarcusJT]

I just thought I'd remind everyone that the security of your web applications (on all levels) is something that you should be paying a LOT of attention to, so here's a great site which pretty much covers all the bases - go through their 10-point list and see what you've missed out, then download & read the PDFs they have produced (for YOUR pleasure)...

http://www.owasp.org/

[Karloff]

I also stumbled across that site 2-3 weeks ago though I didn't bother looking beyong their recommendations. Did you actually use WebScarab or any of their other tools for automated security testing?

[Andrew-J2000]

I've been to that before, but I can definately vouch for this floor tho...

Buffer Overflows

Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.

With fast-perl, (fcg) you have to overload the server, DOS or DDOS attack the server, and once it comes up with an internal server error, goto www.myserver.com/cgi-bin/ and it will grant you administrative privaleges based on your ip address.

[devtech]

What other tools do you recommend for testing the security of a site?

Thanks,

James

[Karloff]

What other tools do you recommend for testing the security of a site?

I follow best practices and always try to be aware of potential security risks while coding. This, of course, requires staying upto date on security holes on your platform of choice.

As I mainly work on Windows now, with IIS, ASP and SQL 2000 or MS Access, I can only suggest a few tools and resources which might be useful to other Windows web developers.

• IIS_PROMISC - simple to use IIS auditing tool written in Perl.
• MS Baseline Security Analyser - basically scans your system for missing or outdated security patches of installed products incl. Win OS's, IIS, SQL Server, Exchange et al. Very useful IMO!
• also use IISLockdown and URLScan as preventive measures if you're running < IIS 6.0!

An interesting read for Microsofties is Securing Windows 2000 Server though I haven't applied or tried most of their guidelines as my apps are usually outsourced to a hosting provider.

Last but not least, here is the page where you can find a plethora of Microsoft related security resources and tools - as they are serious about security now, and I trully do believe them!



Rant: Actually, I think most bad press and reputation about Windows security simply comes from the fact that there is an overwhelming amount so-called Windows Administrators who use Windows on their PC and assume they know its ins and outs after a few months clicking around. Needless to say, they will likely leave most doors open or even sprinkle out invitiations for potential intruders. And when it is too late, you can always blame Windows [img]images/smilies/rolleyes.gif[/img]. *NIX users on the other hand, are usually more apt with their systems internals and thus these systems are likely to be configured properly against most common attacks. Either way, I just wanted to share my opinion on Windows as I, for one, know that I am not a Windows Administrator though I have used Windows and its advanced features for well over 5 years now - and still my net PC could be easilly hacked (I am sure).


Edit: Oh, forgot to mention a crucial part in security testing: the best test of all is to unleash your application to the scrutiny of your users and monitor it actively and continuously. This includes checking webserver log files, event log files, database log files, any other related log files and of course your applications log files for any inconsistencies or abnormal usage patterns. You can either pursue proactive (defensive) measures automatically by alerting users who are trying to tamper your system, blocking their IP, contacting their ISP etc, or you can manually asess the risk of any abnormalities. Either way, always be on your toes if you are running the server [img]images/smilies/smile.gif[/img]

[oneworkspace]

Here are a few good tips:

-- Make sure that whenever a user can submit data that's used in a query (via a form variable, URL variable, or anything else) that you ensure that any numeric values are definitely cast as numeric values so that they don't contain malicious SQL statements. If you don't, someone can pass in a supposedly numeric variable such as "43; DELETE FROM users" that you would send right to your db.

-- Make sure that error statements on your site are user-friendly but don't give the user information about your filesystem or database. Malicious users will use this information to help breach your system faster.

-- This is a simple one, but make sure that you don't store your database in your web root. Users who guess at or otherwise identify the URL for it can download it at will.

-- Conversely, don't let users upload files into the web root, either. They can upload malicious programs and then execute them on your server by calling them via URL. You can prevent this by configuring your MIME types correctly so that programs are downloaded instead of executed.

-- Make sure that all of your SQL queries which deal with user-level information contain code which limits the scope of the activity to that user's account. For instance, if you have a form which lets users edit, say, a product description by passing a product ID, if you don't use the phrase "WHERE userID = [this user's ID]", they could just edit any product they wanted by passing the correct product ID in the FORM or URL string.

[Karloff]

Along the lines of the previous post from oneworkspace, here is M@rco's excellent thread on SQL injection and how to prevent it.

Though maybe we should focus back to security testing, be it manual or automated, rather than mentioning preemptive measures for coding and server setup. I would definately like to know how others perform their application security analysis (all the more if they do it in a semi-automated manner as I am lazy sod ).

[drochili]

http://www.insecure.org/tools.html
and http://www.nessus.org

[MarcusJT]

I'm glad that my post has stimulated some good discussion... keep going!

Karloff - that's an interesting theory about Windows vs *nix... and it makes a LOT of sense...!

[vgarcia]

I'm glad that my post has stimulated some good discussion... keep going! [img]images/smilies/biggrin.gif[/img]

Karloff - that's an interesting theory about Windows vs *nix... and it makes a LOT of sense...!

I agree with your theory too Karloff. You have the too-easy MCSE test for Windows NT 4.0 to thank for that . Apparently, subsequent tests have gotten much more difficult though.

[DaveMaxwell]

Could it be partially that Unix still work heavily in command line-mode (or at least the ones I know do) vs the point & click mentality of the Windows folk?

Having to be command line driven makes you pay more attention than just pointing & clicking.

[MarcusJT]

Perhaps, but whether point'n'click or command-line, the fundamental difference between the two OSes is that with *nix you need a much deeper working knowledge of how everything works to be able to get it up and running, whereas Windows encourages ignorance of the underlying configuration details and mechanics by shrouding them in "Advanced" dialogs and wizards...

Thus, your average *nix user understands far more about how his OS is configured and how things interact than your average Windows user...