Top tips for secure web applications

I am looking for easy steps that are simple and effective in making a web application more secure.

What are your top tips for secure web applications, and what kind of attack will they stop?

Answers


Microsoft Technet has en excellent article:

Ten Tips for Designing, Building, and Deploying More Secure Web Applications

Here are the topics for the tips answered in that article:

  1. Never Directly Trust User Input
  2. Services Should Have Neither System nor Administrator Access
  3. Follow SQL Server Best Practices
  4. Protect the Assets
  5. Include Auditing, Logging, and Reporting Features
  6. Analyze the Source Code
  7. Deploy Components Using Defense in Depth
  8. Turn Off In-Depth Error Messages for End Users
  9. Know the 10 Laws of Security Administration
  10. Have a Security Incident Response Plan

Do not trust user input.

Validation of expected data types and formatting is essential to avaoiding SQL injection and Cross-Site Scripting (XSS) attacks.


  1. Escape user provided content to avoid XSS attacks.
  2. Using paremeterised SQL or stored procedures to avoid SQL Injections attacks.
  3. Running the webserver as an unprivileged account to minimise attacks on the OS.
  4. Setting the webserver directories to an unprivileged account, again, to minimise attacks on the OS.
  5. Setting up unprivileged accounts on the SQL server and using them for the application to minimise attacks on the DB.

For more in depth information, there is always the OWASP Guide to Building Secure Web Applications and Web Services


Some of my favourites:

  1. Filter Input, Escape Output to help guard against XSS or SQL injection attacks
  2. Use prepared statements for database queries (SQL injection attacks)
  3. Disable unused user accounts on your server to prevent brute force password attacks
  4. Remove Apache version info from HTTP header (ServerSignature=Off, ServerTokens=ProductOnly)
  5. Run your web server in a chroot jail to limit damage if compromised

OWASP is your friend. Their Top Ten List of web application security vulnerabilities includes a description of each problem and how to defend against it. The site is a good resource for learning more about web application security and is a wealth of tools and and testing techniques as well.


Set the secure flag on cookies for SSL applications. Otherwise there is always a highjacking attack that is much easier to conduct than breaking the crypto. This is the essence of CVE-2002-1152.


Need Your Help

Can you use Reflector to get the source code of an app and then debug using that source code?

.net debugging reflector

It seems like you could use a mashup of Relector and a Debugger to be able to debug any .NET app WITHOUT having the source code at all. Is this possible? Has anyone seen this before?

Pronouncing dictionaries

dictionary

Are there any alternatives to The CMU Pronouncing Dictionary, commercial or open source?