Geek Answers Handbook

Web application attacks and must have defensive methods

What should you have defensive methods for common network attacks like XSS , Sql Injection , Denial of Service , etc.?

Edit: I have compiled your answers under the descriptions from Wikipedia . And I add additional questions to have a full link.

Sql Injection

SQL injection is a code injection technique that exploits a security vulnerability that occurs in the application database tier. the vulnerability is present when user input is either incorrectly filtered for character characters of a string literal embedded in SQL statements or user input is not strongly typed and thereby is unexpectedly executed. it is an instance of a more general class of vulnerabilities that can occur whenever a programming or scripting language is embedded in another.

  • Do not trust user input and check it as soon as possible.
  • Do not create SQL from the original user input - use parameters instead.

Cross Site Scripting (XSS)

Crossite scripting is a type of computer security vulnerability usually found in web applications that allow you to enter code by malicious web users on web pages viewed by other users. Examples of such code include HTML code and client scripts. An exploited cross-site scripting vulnerability could exploit attackers to bypass controls such as the same policy origin.

  • Never display or execute user-submitted content verbatim.
  • HTML coding of all output.

Denial of service attack

Activation of a denial of service (DoS service) attack) or a distributed denial of service attack (DDoS attack) is an attempt to make a computer a resource unavailable to its users. Although the means for transferring the motives and purpose of a DoS attack may vary, it usually consists of the concerted, vicious efforts of a person or persons to prevent a website or service from functioning efficiently or in general, temporarily or indefinitely.

I know that it is impossible to avoid denial of service attacks programmatically, but what do you think?

Brute force attacks

In cryptanalysis, a brute force attack is a way to defeat a cryptographic scheme by systematically trying opportunities; for example, a large number of possible keys in a key to decrypt a message. In most schemes, the theoretical possibility of brute force attack is recognized, but it is configured in such a way that computationally impracticable to perform.

  • Block an account if too many login attempts fail. Never allow unlimited attempts.
  • Add a delay when the password you entered is incorrect.

Additional questions:

  • What do you think of web robots that try to send messages based on your content? For example, SO uses image verification.

  • What do you think of the javascript eval function?

  • Is there a way to access content on a server that has not been exposed to external ones. For example, I have a page that inserts some important entries into my db, and I only know this url. Is there any way to get such files? I know that you can set some security rules for it.

( NOTE: The directory list is disabled, and I am posting these files.)

Thanks for answers!

+6
security web-applications defensive-programming
source share
7 answers

Your question covers a large volume. I will try to give you some pointers. If you clearly state your question, I can give you more specific information.

  • Never, ever trust user input. Everything that is included in your application that can be manipulated from the outside should be checked.
  • Never store passwords in text form in your database. Store the hash (salt only). Calculate the hash on the password that the user gave and compare the hashes.
  • Block an account when too many login attempts do not match. Never allow unlimited attempts.
  • When using a product or framework, stay above the mailing list for these products and identify security issues . If your underlying infrastructure has a security error, plan for its readiness to upgrade.
  • When using a database, everyone is not allowed full access to the database (even if you restrict access to the database using stored procedures). If someone only needs to read certain data, do not use an SQL account, which can also modify data.
  • Regarding your question: “Is there a way to access content on the server that has not been exposed to outside. For example, I have a page that inserts some important entries in my db, and only I know that this is a URL. Way to get such files "I know you can set some security rules for him."
    You might think that someone cannot access your page simply because they do not know the URL. This is security through obscurity and will never work in the long run. The Google index spider will simply try to go through the entire site and index each page that is accessible to it. If you have pages with confidential information, add an authentication and authorization mechanism.
+7
source share

For XSS and SQL injection: never display or execute user-submitted content verbatim.

+3
source share
  • Confirm everything as soon as possible.
  • Do not create SQL from the original user input - use parameters instead.
  • HTML coding of all output.
+2
source share

Validation!

+1
source share

The most important thing is to prevent coarse password forcing. It is simple by adding a delay when the entered password is incorrect.

+1
source share

We use a tool called fortify to scan our software http://www.fortify.com/ (sorry commercial product, but maybe more)

It catches user input that is not validated, string concatenation instead of parameters, and much more.

Just by trying this product, you can learn how to program safely.

+1
source share

What do you think of web robots trying to place input data according to your content? For example, SO uses image verification.

Image verification is called CAPTCHA. This prevents automated bots from filling out forms and helps to verify that a person is actually submitting the form. They are usually used wherever you want to control access to the form. Spam bots will try to fill out contact forms to bypass spam filters, so you may need additional protection against such things. For the most part, abuse of the format is minimal, but you will see it in some cases.

What do you think of javascript eval function?

It depends on how you use it. Like everything else, do not trust user input. If you intend to use your input through eval (), first make sure that it goes through a decent sanitation process. This is doubly important if you keep your entry in the database and pull it back, displaying it to other users. This applies to SQL, HTML, as well as JavaScript. If someone can get a JS code executed with sufficient knowledge about how your site works, they can do all kinds of crazy things and imitate the user who registered, change their password, etc.

Is there a way to access content on a server that has not been exposed externally?

As already mentioned, this will be safety through obscurity and is not recommended. All that is needed should be laid behind a secure entry area. Do not rely solely on the "hidden URL". If someone is aware of your special URL or if they end up in a log file that Google has access to, you may never know if anyone can get there. Put some authentication around such things.

0
source share

More articles:


All Articles