I need of an information. I'm new in develop web application. I should use php and javascritp but it 's possible, in the future, I could use other languase like Java. During these days I'm following a course on the best practice to write secure code.
Is there any guide/book or any other valid resource, where I can find an explanation about the differrent kind of attaks on a web application and the ways to solve them?
Thanks
Luca
If you're looking for resources to secure your applications on the internet, the first thing to try is OWASP, or Open Web Application Security Project. Here are some useful articles about what you're looking for:
OWASP: Web Security Testing Guide
OWASP: Cheatsheets
OWASP: General Information
All of the resources above will show you the recommended ways to secure your web application against threats. I think it's more than enough for the first step in the security world.
Related
Made a rather complex Asp.Net Core (2) App for a NGO, deployed on Azure, do we need WAF?
Thanks for your answer(s).
(Got the idea that most providers offer it for free. Money is a bit of an issue for the NGO).
I'm afraid that your question is not suitable for asking on StackOverflow, which seems to be not a technical issue about coding as my view. Infomation Security forum is more suited to ask for your needs, I think so.
However, Considering for reducing the cost for using some specifical secure services or features, such as WAF, you can directly realize some simple features by using Filters in ASP.NET Core as a simple secure middleware for your app, or search on GitHub to find some opensource components that features could satisfy your needs to integrate into your app.
As references, there are two GitHub repos which you can refer to.
dustinmoris/Firewall
saineshwar/Secure-ASP.NET-Core-MVC-Application
Hope it helps.
does someone know where I can find webapplications, on which i can legaly try my pentesting skills like a dummy application or sth? I heard there were some on the OWASP page, but I cant find any. I'll write my thesis about pentesting web applications, and would like to do some tests.
Thanks,
katy
There is website pprovided by OWASP themselves, which is intended exactly for that. It is called WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP
designed to teach web application security lessons. You can install
and practice with WebGoat in either J2EE (this page) or WebGoat for
.Net in ASP.NET. In each lesson, users must demonstrate their
understanding of a security issue by exploiting a real vulnerability
in the WebGoat applications. For example, in one of the lessons the
user must use SQL injection to steal fake credit card numbers. The
application is a realistic teaching environment, providing users with
hints and code to further explain the lesson.
I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only be accessable for the admins, some for the users and so on.
If its intresting, Im using Hibernate for the database. I plan to store the roles and users in the database.
Can you help me to tell the best practice (if any) for a scalable solution for implementing the security in my webproject? Links, books or a good example is very grateful =)
Best regards
Apache Shiro is a new and supposedly very elegant and easy to use security framework.
Spring security may be suitable for your needs.
http://static.springsource.org/spring-security/site/features.html
BTW which IDE you are using?
You can undoubtedly visit OWASP web site..The OWASP web site provides you on every bit of information about the potential security attacks/threats to a web application..
The website will provide you all the information related to a particular attack/threat and also the possible solution to avoid the threat..
You can even download the ESAPI jar provided by OWASP which provides ample amount of functionalities to handle security attacks/threats. It will considerably reduce your development time.
Here's the link to the website
https://www.owasp.org/index.php/Main_Page
Based on the underlying technology you are using you will get relevant solutions to avoid attacks/threats.
Also you can store the names of the module or the URL in the DB and you can have a mapping between roles and the module. Based on the role of the user you can fetch the module and display respective modules to the user.
You can further visit this link for some more details on when to use SHIRO and when to use EASPI.
Apache Shiro & Java Security for Novicesenter link description here
But I am sure that after going through EASPI web site and few days of studying security attacks you can easily use EASPI to provide enhance security feature to your web application.
Hi does anybody know of any other programs similar to Webgoat for the demonstration of web application security flaws?
There are plenty of them. Some hosted, some for local installation. Some targeted more to teaching about web security, others for testing. Fortunately some folks already made some lists:
http://slogic.net/training/vulnerable-web-applications-to-learn-web-application-testing-skills
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning
http://www.owasp.org/index.php/Phoenix/Tools#Testing_grounds
I personally would start with Google Gruyere (http://google-gruyere.appspot.com/).
There is a really good list in here:
http://ha.ckers.org/blog/20090406/hacking-without-all-the-jailtime/
The big ones I would think of would be Fortify and HP WebInspect.
Fortify will scan the source code and find potential vulnerabilities
HP WebInspect will scan/brute force a website in production and find/report actual vulnerabilities.
Both require a fairly expensive license.
Also take a look at Codebashing - They are a SaaS based elearning platform that provide interactive application security wargames.
http://www.dvwa.co.uk/
http://www.itsecgames.com/
https://www.owasp.org/index.php/OWASP_Bricks#tab=Main
https://sourceforge.net/projects/mutillidae/
Also I Like dawa And murillidae That is Realy Intresting.
Take a look at:
OWASP Testing Project
Acunetix Web Security Scanner
Acunetix WVS automatically checks your
web applications for SQL Injection,
XSS & other web vulnerabilities.
Just to be on the safe side, what's the best practice to ensure that only my application has access to my webservice, which is hosted on a public server? Should I implement I shared key or something?
My webservice is hosted on Googles App Engine and my Application runs on iPhones and iPads.
If you need further information, just ask.
Thanks,
Henrik
some sort of challenge/response authentication would be your best bet, but you could use something as simple as a key that's sent with every request. it might be quite easy for someone with a packet sniffer to reverse engineer that security though - i guess the amount of time you spend on it will relate to how much you really care :)
If you require your iphone app users to enter a loginid/password, then it is trivial to achieve what you want. But I assume you don't want that ..
Without that, there is no way to ensure you app has exclusive access to your web-services. People can always sniff HTTP traffic and spoof it. People can decompile/reverse-engineer your app to figure out the key/password.
See other discussions on StackOverflow - How to restrict access to my web service? and How can I create and use a web service in public but still restrict its use to only my app?
You could program your app to only serve requests that include your iPhone's unique identier - see StackOverflow question [Unique identifier for an iPhone app]. The id could still be sniffed, so depending on your needs, you may need methods to counter that.
Well, i had similar problem. What i realized, there is no 100% solution. What i did is, i used different approach. I have implemented OAuth and SSL, of course and than make algorithm for my web service to learn behavior of my app.
I try to put that algorithm in some kind of pattern, template, so it can be used in more scenarios. It's still in developing, so here is code of simple console app that will simulate that algorithm. Hope this can help:
https://github.com/vjeftovic/LearningRESTSimulation