Spread the word

Thursday, November 26, 2009

Top 5 Security Checks for your Website

Today just building up a website doesn’t help until you know how you can manage it. So before your website is getting into limelight, just be sure that you know how to fight hackers and spammers.

Here are the top 5 security guidelines for you to make your environment more secure and not letting it in the evil hands.

1. SQL Injection

SQL Injection is a vulnerability in which the attacker intends to change the structure of backend SQL statements by injecting carefully crafted SQL commands/statements through poorly validated HTML Input fields/parameters (taking advantage of insecure code) to:
  1. Steal Update & Delete information present in a database.

  2. Cause Denial of Service attack on a web application by shutting the database.

  3. Bypass authentication mechanism of a web application.

How to avoid SQL Injection:
  1. Use parameterized queries/stored procedures/bind variables to access a database and avoid the use of Dynamic SQL queries.

  2. Validate all the user supplied input to your web application for type, length, format and range before exposing the values to your backend (database) logic.

  3. Enforce a strong centralized & customized error handling mechanism in your web application and do not display the database errors to the end users with sensitive information like table names, fields, database drivers, sql statements, etc.

2. Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF)

Cross Site Scripting (XSS) is a security exploit in which the attacker intends to execute malicious script\code (constructed using JavaScript, VBScript, ActiveX, Flash, HTML etc) on the victim’s browser by taking the advantage of poorly validated data input points\HTML parameters (taking advantage of insecure code) to:
  1. Compromise or steal user’s sensitive information (SSN, Credit Card No.)\Session hijacking.

  2. Cause Cookie theft (Account hijack)\Cookie poisoning.

  3. Cause Denial of Service attack by executing malicious codes (viruses) on the end-user systems.

  4. Cause defacement/modification of Web appearance.

How to avoid XSS and XSRF
  1. Always Encode data that is received as input when you write it out as HTML. This technique will be effective on data that was not validated for some reason during input and contains malicious script/payload.

  2. Validate all the user supplied inputs as before.

  3. Try to use POST parameters instead of using GET parameters

  4. Always check the HTTP Referrer header before serving a page.

  5. Provide short time period for user sessions.

3. HTTP Response Splitting

HTTP Response Splitting is a kind of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize user input values.

How to avoid HTTP Response Splitting
  1. Validate all the user supplied input to the web application for type, length, format and range.

  2. Parse all user inputs for HTML and Scripts.

  3. Don’t provide execute permission to user uploads.

4. Canonicalization Attacks

A canonicalization attack occurs when someone enters a filename requesting a file they are not allowed to access or overwrites a file they are not authorized to overwrite.

Canonicalization attacks may result into:
  1. Loss of confidentiality if files are deleted.

  2. Loss of integrity if files are removed.

  3. Denial of Service attack on the application/system if the file is deleted.

How to avoid Canonicalization Attacks
  1. Ensure that the web server hosts on a secure file system like NTFS.

  2. Set Access Control Lists on files and folders.

  3. Do not keep sensitive files, source code or any such material on the web server machine.

  4. Application developers will need to white list directories that application will be requiring to access.

  5. Use regular expressions to control the file\folders that can be accessed.

  6. Reduce UTF-8 encoding to its canonical form

5. Privilege Escalation - Cookie Manipulation

Web applications normally use browser cookies to save user information which eventually helps the web application to determine the privileges of the user and based upon this grants the user access to the functionalities present in the application.

An attacker can use this technique to
  1. Manipulate cookie values to fraudulently authenticate them to a web site.
    Escalate privileges to access functionalities which they are not authorized to access.

  2. Compromise another user’s profile.

How to avoid Cookie Manipulation
  1. Avoid storing sensitive information in cookies and use session variables to store this information on the server side.

  2. Use one session token to reference properties stored in a server-side cache.

  3. Another technique involves building intrusion detection hooks to evaluate the cookie for any infeasible or impossible combinations of values that would indicate tampering.

  4. Encrypt the cookie to prevent tampering.

  5. Use HTTPS (HTTP over SSL) which encrypts the information that are transmitted via the communication channel.


Acmeous said...

Hi Thomas,

Thanks a lot for pointing out a very important point which web masters should always take care of. That's really a good security check.
Thanks for visiting my Blog and contributing at the same time. Please stay tuned for future updates.


Anonymous said...

hi.. just dropping by here... have a nice day! http://kantahanan.blogspot.com/

Mahadevan said...

Thanks for your information.

Post a Comment