Things to remember while developing web application (Some Practices)

-
Below is a list of technical and non-technical high level points to be taken care. There can be definitely many more. (For exhaustive web application security specific guidelines please refer to http://www.owasp.org/index.php/Main_Page)


See to it!!

Visual representation plays a big role in boosting customer involvement. The sooner customer is able to see the UI of the application, more he tends to get involved. The visual representation makes the customer come up with modifications sooner than later.

Involved evolvement

Customer should always be involved throughout the course of application development. Team should create the process to get the frequent feedbacks and directions. Lack of feedback should be taken up as a risk ASAP specially in case of extreme development with Agile.

See the point

Customers do need the complete application but are not willing to give time. It’s a known fact that application cannot be bug free. If get to understand the business aspect of the application, we can prioritize the testing effort on the specific modules. Modules exposed to probable clients of the customers are the most sensitive one. Specially if you are not providing the need based service.

Testable ability

Make your intermediate deliveries completely testable. This keeps the testers attitude in high spirits. In case a complete solution could not be available, try to provide testing scripts to validate the solution. Manual verification deviates the tester from the holistic view of the application.

Input Validation

Don't assume that your users will provide you with valid, trustworthy data. Sanitize all data, checking for sane string lengths, valid file types, etc.

Guidelines for User-Supplied Input

Character-set: Only accept data containing a strictly limited and expected set of characters. If a number is expected, only accept digits. If a word, only letters.

Data Format: Only accept data containing the proper format. If an email address is expected, only letters, numbers, at symbol, dashes, and dots in the proper arrangement should be accepted. This includes enforcing minimum and maximum length restrictions on all incoming data. The technique should be used for account numbers, session credentials, usernames, etc. This limits the potential entry points for incoming attacks.

Escaping: All special characters from incoming data should be escaped to remove an additional programmatic meaning.

Non-trusted data

Non-trusted data is most often data that comes from the HTTP request, in the form of URL parameters, form fields, headers, or cookies. Traditionally, input validation has been the preferred approach for handling non-trusted data. However, input validation is not a great solution for injection attacks.

Escaping

Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. There are lots of different types of escaping, sometimes confusingly called output "encoding”. Do not confuse output escaping with the notion of Unicode character encoding, which involves mapping a Unicode character to a sequence of bits. This level of encoding is automatically decoded, and does not defuse attacks. However, if there are misunderstandings about the intended char set between the server and browser, it may cause unintended characters to be communicated.

Escaping is the primary means to make sure that non-trusted data can't be used to convey an injection attack. There is no harm in escaping data properly - it will still render in the browser properly. Escaping simply lets the interpreter know that the data is not intended to be executed, and therefore prevents attacks from working.

Injection Theory

Injection is an attack that involves breaking out of a data context and switching into a code context through the use of special characters that are significant in the interpreter being used.

There are two ways to inject code:

Injecting UP

The most common way is to close the current context and start a new code context. For example, this is what you do when you close an HTML attribute with a "> and start a new tag may be able to terminate a script block even if it is injected inside a quoted string inside a method call inside the script. This happens because the HTML parser runs before the JavaScript parser.

Injecting DOWN

The less common way to perform XSS injection is to introduce a code sub context without closing the current context. For example, if the attacker is able to change into < src="javascript:alert(document.cookie)"> they do not have to break out of the HTML attribute context. Instead, they introduce a sub context that allows scripting within the src attribute (in this case a javascript URL).

Cross-Site Scripting (XSS)

XSS attacks are, by most measures, the most common form of security problem on the web. In short, if an attacker can get their own JavaScript code into your application, they can do bad stuff. Anywhere you store and display non-trusted, user-supplied data needs to be checked, sanitized, and HTML escaped. Getting this right is hard, because hackers have many different ways to land XSS attacks. Your language or web development framework probably has a popular, well-tested mechanism for defending against cross-site scripting; please make use of it.

Always escape HTML before inserting non-trusted data into html content. Escape characters with HTML entity encoding to prevent switching into any execution context.

Refer: http://code.google.com/p/owasp-esapi-java/

Broadly escaping is required in case of

  1. Attribute
  2. Javascript
  3. CSS or
  4. URL is modified with the user supplied data.

XSS attack ca be mitigated by using HttpOnly (refer: http://www.owasp.org/index.php/HTTPOnly)

In-Depth Protection

The fundamental concept is that there should be multiple layers of security protecting your assets. Layers of security include input validation, database layer abstraction, server configuration, etc. Once in place it is necessary to frequently test the security of those layers. The reasoning behind In-Depth is that if any layer is breached, there is another layer in place preventing compromise. With defense-in-depth, the risks associated with security lapses are significantly mitigated.

Rate Limiting

Be sure that users can't take advantage of your application by repeatedly performing resource-expensive or socially detrimental actions. For example, don't let users repeatedly attempt to login or reset passwords. Use CAPTCHAs where appropriate to slow down potential spammers and attackers.

Cross-Site Request Forgery (CSRF)

Are you sure that requests to your application are coming from your application? CSRF attacks exploit this lack of knowledge by forcing logged-in users of your site to silently open URLs that perform actions. The most thorough way to deal with CSRF is to include a random token in every form that's stored someplace trusted; if a form doesn't have the right token, throw an error. Modern web frameworks have systematic ways of handling this.

Comments

Post a Comment

Popular posts from this blog

Hibernate: a different object with the same identifier value was already associated with the session

-
People working with Hibernate might be familiar with the below error. org.springframework.orm.hibernate3.HibernateSystemException: a different object with the same identifier value was already associated with the session: nested exception is org.hibernate.NonUniqueObjectException: a different object with the same identifier value was already associated with the session This exception is generated when we try to load an instance object in session which has been already loaded by hibernate. Easier said than done. Hibernate considers two persistent entities identical if the two rows of the table can be said identical. Above error could be generated in many ways and there may be various solutions on net like using session merge etc to get away with the problem. I will discuss here the reason for me getting this problem and the way I resolved it. Below is the code which generated the exception for me. Following is the method which caused the exception @Transactional(propagation=Propagation.
Read more

BeanDefinitionStoreException: Failed to parse configuration class: Could not find class [javax.jms.ConnectionFactory]

-
If you are creating a Spring Boot application and see the following error stack . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.2.0.RELEASE) 2020-06-27 19:30:32.786 INFO 35224 --- [ main] SchoolApplication : Starting SchoolApplication on LTUS76179 with PID 35224 (C:\personal\eclipse-workspace\apievolution\target\classes started by 381548 in C:\personal\eclipse-workspace\apievolution) 2020-06-27 19:30:32.796 INFO 35224 --- [ main] SchoolApplication : No active profile set, falling back to default profiles: default 2020-06-27 19:30:32.964 WARN 35224 --- [ main] ionWarningsApplicationContextInitializer : ** WARNING ** : Your ApplicationContext is unli
Read more