In our previous posts we talked about type of Threats and discussed in details Top Threats for Web Application security. Today we shall talk about the points a developer should consider while security applications.
- website authentication
- Resource authorization
- Input Validation & HTTP validation and encoding
- Parameter Handling
- Session Data Handling
- Sensitive Data Protection
- Web Services
- Exception Handling
- Web Config Management
- privilege management
- Ensure SSL Encryption is implemented
- Ensure strong Password policy is applied
- Confirm that cookies are stored only after encryption.
- Avoid storing any sensitive information in XML files.
- Monitor unsuccessful login activities.
- Confirm role based authorization is applied.
- If Application requires any File system access, ensure that windows authentication is applied.
- Confirm principal permission demand is applied in classes and members in source code.
- Ensure text is duly validated in using RequiredFieldValidator, RangeValidator, RegularExpressionValidator, Text Length.
- Encode output using urlEncode and HtmlEncode.
- Confirm Free form input is sanitized to thwart LFI or RFI attacks.
- Evaluate Input before applying it directly to the Data Model or SQL Query.
- Confirm query strings data are duly encrypted.
- Confirm form viewstate is encrypted.
- Confirm Page.ViewStateUserKey is implemented to defend against one-click attacks.
- Ensure most database operations are handled using Stored Procedures.
Session Data Handling
- Confirm redundant session services are disabled.
- Confirm session cookies data are hashed.
- Confirm connections strings are encrypted
- Ensure session state service is running with least privileges.
Sensitive Data Protection
- Confirm SSL is applied to protect communication.
- Confirm sensitive data does not reside in cookies, query strings, and hidden forms fields.
- Confirm server side state management is applied for clear text passing of data across the pages.
- Confirm output caching is disabled of sensitive encrypted data.
- Confirm sensitive data is not stored in web.config file in plain text
- Confirm redundant Web service protocols, including HTTP GET and HTTP POST, are disabled.
- Confirm Input to Web methods is validated for, length, type, range, and format.
- Confirm Web service running with least-privileged process account.
- Confirm Messages are digitally signed to certify that they cannot be tampered by malicious parameter manipulation.
- Confirm XML input data is substantiated based on an agreed-upon schema.
- Confirm publicly accessible Web methods are restricted by using declarative principle permission demands.
- Confirm every occurred exception is recorded on the server.
- Confirm structure exception handling is applied to each code file.
- Confirm Page level & Application level exception handling is applied.
- Confirm generic error page is configured for unexpected error occurrences.
Web Config Management
- Confirm enableViewState is disabled, if application doesn't rely on view state.
- Confirm httpMaxLength to prevent users from being able to upload a large-sized file.
- Confirm ASP.NET account is running with least privilege by this setting.
- Confirm unused file type handlers is mapped to Forbidden handler.
- Confirm automatic generation of WSDL is disabled.
- Confirm impersonate account has Read permission to GAC.
- Confirm process account has Read and Execute permission to solution content directory.
- Apply necessary permission for temporary folders.
- Enable Read and execute permission to the framework directories.
- Monitor any violations (if any)
- Ensure debug compilation is disabled.
- Confirm Trace is disabled.
- Confirm Bin directory doesn't have read or write permission or directory browse permissions.
Above list is not final, as everyday many more threats are discovered and necessary patches are applied. But as developer you need to ensure your application is threat proof. All testers should try to hack-test the system and ensure all necessary application security parameters are applied.
Hope the above information is useful, in next post we shall talk exclusively about SQL INJECTION.