Software Engineering Radio - Web App Security
Today, I downloaded and listened to a web development podcast from Software Engineering Radio.
http://www.se-radio.net/podcast/2009-03/episode-128-web-app-security-bruce-sams
It covered web application security related to source code and not network security such as firewalls. According this podcast, most web apps are not hacker safe due to web developer ignorance.
As a web developer, after hearing this information, I just wanted to document a few obvious and easy steps to take when writing code.
1) Be aware of SQL Injection - particularly in login forms. Common method is to enter user name and enter "; --" as password.
2) Be aware of user input being used as output such as "Welcome, Vivian". Javascript has been known to be used in these scenarios and in HTML forms to hack the system. It is not uncommon to send in Javascript to be executed by the HTML page. It's important to use user input validation.
3) Be aware of providing important unique IDs in the url such as orderId=3. Any database IDs presented to the user or in the URL, should be randomly generated. A way to accomplish this is to use Hashtables and lookup tables to secure these IDs.
4) Be aware of directory browsing - shut this feature off.
5) NEVER enter important system comments in HTML files.
6) Comments in souce code files (such as aspx.cs) should be stripped for deployment if the source code files reside in web app folder - which they shouldn't. In the case for ASP.NET, only the bin folder should be deployed. The source code files reside in source management apps.
http://www.se-radio.net/podcast/2009-03/episode-128-web-app-security-bruce-sams
It covered web application security related to source code and not network security such as firewalls. According this podcast, most web apps are not hacker safe due to web developer ignorance.
As a web developer, after hearing this information, I just wanted to document a few obvious and easy steps to take when writing code.
1) Be aware of SQL Injection - particularly in login forms. Common method is to enter user name and enter "; --" as password.
2) Be aware of user input being used as output such as "Welcome, Vivian". Javascript has been known to be used in these scenarios and in HTML forms to hack the system. It is not uncommon to send in Javascript to be executed by the HTML page. It's important to use user input validation.
3) Be aware of providing important unique IDs in the url such as orderId=3. Any database IDs presented to the user or in the URL, should be randomly generated. A way to accomplish this is to use Hashtables and lookup tables to secure these IDs.
4) Be aware of directory browsing - shut this feature off.
5) NEVER enter important system comments in HTML files.
6) Comments in souce code files (such as aspx.cs) should be stripped for deployment if the source code files reside in web app folder - which they shouldn't. In the case for ASP.NET, only the bin folder should be deployed. The source code files reside in source management apps.
Comments