Security threats on a website made from scatch.
What I have to do to protect my website?
Also what are other issues (apart from security) will show up during development, maintenance and managment of website.
Non-optimized scripts and loose development standards, are biggest threat to the security of a website. Using some good framework and following its architecture for developing a website from scratch can address it to a large extent. Following aspects of a website are among favorites of intruders to try getting unauthorized access to the website, and these should to be implemented with prudence to keep the website safe: -
~ User authentication
~ Server authentication
~ Validation of input & output data
~ Session & cookies management
Depending upon confidentiality of data on the website, use of SSL can add a further level of security to the website.
If you are going to follow Agile methodology then high level documentation of features & tools will save a lot of to-and-fro while development, and thinking about the maintenance process & how to's will help developing efficient administration tools.
Related
I would like to know if the security vulnerabilities for web based applications such as the ones due to poor input validation such as
SQL injection
XML injection
XSS
CSRF
Click Jacking (Frame bursting)
Since the mobile app runs in its own sandbox environment, i would have thought that the browser specific vulnerabilities would not be applicable.
OWASP does not list out these as part of their top 10 list and I wanted to understand if there is a scenario where these can pose a issue for mobile apps
Most of the vulns described in the OWASP top 10 are attacks against the server. E.g SQL injection, XML injection, Java deserialization, CSRF and others.
Thus it doesn't matter if the client is a browser or a mobile App. The attacker can craft their requests with any tool they want.
There are specific vulns related to mobile application on the client side. These are described in the Owasp mobile app top 10
does someone know where I can find webapplications, on which i can legaly try my pentesting skills like a dummy application or sth? I heard there were some on the OWASP page, but I cant find any. I'll write my thesis about pentesting web applications, and would like to do some tests.
Thanks,
katy
There is website pprovided by OWASP themselves, which is intended exactly for that. It is called WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP
designed to teach web application security lessons. You can install
and practice with WebGoat in either J2EE (this page) or WebGoat for
.Net in ASP.NET. In each lesson, users must demonstrate their
understanding of a security issue by exploiting a real vulnerability
in the WebGoat applications. For example, in one of the lessons the
user must use SQL injection to steal fake credit card numbers. The
application is a realistic teaching environment, providing users with
hints and code to further explain the lesson.
So I have finished creating my first website that I will be hosting online. It have php, html, and javascript. Now I am looking for a way to host my website securely. I have looked at sites like godaddy and web hosting hub. I was wondering what the best hosting service would be for my needs.
My needs:
Able to run php
Have a actual name, like www.noahhuppert.com
Be able to obscure the code so people can not just copy it(This is because my website is for my website design company and I have examples of templates people can use, but I don't want people jsut stealing those templates with a simple right click + inspect element)
Run server side scripts(Like slowing down connections to users if they fail to login too many times, to prevent brute force cracking attempts)
Deny access to people reading files(I don't want people downloading my password hash files or anything like that)
Be able to host files on the services servers, I don't just want a dns pointing back to my computer.
This question is asking for an opinion. Basically any linux web host will provide most of what you're looking for. You're asking for an opinion about which hosting site is the best. I cannot answer that.
What I do want to warn you about is this:
From your question, you're concerned with:
- security
this is not a web host provider feature, but a feature of secure web code. See https://www.owasp.org/index.php/Top_10_2013 for great introduction to website security.
obscure code
You cannot prevent someone from stealing your css. They will not get to your raw templates (I'm assuming you're using templates) if you set your file permissions right on the web server.
if you're concerned with brute force protections, you'll need to code that up yourself. The web host provider would not (and should not) rate limit your connections.
I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only be accessable for the admins, some for the users and so on.
If its intresting, Im using Hibernate for the database. I plan to store the roles and users in the database.
Can you help me to tell the best practice (if any) for a scalable solution for implementing the security in my webproject? Links, books or a good example is very grateful =)
Best regards
Apache Shiro is a new and supposedly very elegant and easy to use security framework.
Spring security may be suitable for your needs.
http://static.springsource.org/spring-security/site/features.html
BTW which IDE you are using?
You can undoubtedly visit OWASP web site..The OWASP web site provides you on every bit of information about the potential security attacks/threats to a web application..
The website will provide you all the information related to a particular attack/threat and also the possible solution to avoid the threat..
You can even download the ESAPI jar provided by OWASP which provides ample amount of functionalities to handle security attacks/threats. It will considerably reduce your development time.
Here's the link to the website
https://www.owasp.org/index.php/Main_Page
Based on the underlying technology you are using you will get relevant solutions to avoid attacks/threats.
Also you can store the names of the module or the URL in the DB and you can have a mapping between roles and the module. Based on the role of the user you can fetch the module and display respective modules to the user.
You can further visit this link for some more details on when to use SHIRO and when to use EASPI.
Apache Shiro & Java Security for Novicesenter link description here
But I am sure that after going through EASPI web site and few days of studying security attacks you can easily use EASPI to provide enhance security feature to your web application.
I am on a project that involves processing financial information, and so I need to write secure asp.net pages using C# 2008 (https etc)
Can anyone recomment any tutorials then can help me understand more about writing secure asp.net apps?
Thanks
There's a whole book on this topic, Dominick Baier's Developing More-Secure Microsoft ASP.NET 2.0 Applications. It is outstanding, and has a ton of features and techniques that you won't find anywhere else, at least not without a lot of digging. I've used this book for web security design on two projects, and I highly recommend it.
EDIT TO ADD: Second recommendation, Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World. While much of the code in this book is about unmanaged code, the sections on understanding good security development practices, threat modeling, etc., really tell you what you need to be thinking about as you design and evaluate your web site's security issues.
If you are interested in using a SSL certificate to secure your site and its pages, keep in mind SSL is a technology that is in place at the Transport layer, meaning it is independent of what programming framework or language you are using. SSL certificates are installed either via IIS or the MMC certificates snap-in on the server/pc.
There are a few steps involved in using an SSL cert with IIS:
Generate a Certificate Request in IIS
Submit the Cert request to a trusted Certificate Authority (3rd party vendor such as Verisign, DigiCert, Thawte, etc.)
Install Certificate provided by vendor on server and apply it to your website
For testing, you can use makecert.exe to generate self-signed certificates. These will work in your browser for testing your app, but should never be used in production. Here's a good stackoverflow answer that suits your needs:
Using makecert for Development SSL
Once you go into production, you'll need a cert from a real Certificate Authority. Once you chose a vendor they will have specific instructions on how to generate the certificate. I recently used DigiCert and was happy with them.
In addition to implementing a SSL certificate, you of course need to make your actual website/application secure using authentication, roles, etc.
Here's a good primer to the asp.net security features:
http://msdn.microsoft.com/en-us/library/aa302388.aspx
Here is a good place to start:
The Anti Cross Site Scripting library from Microsoft:
http://channel9.msdn.com/posts/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors/
Also, I'd assume you are going use Verisign. Here is a good link from Microsoft:
http://support.microsoft.com/kb/293817
Edit: I should also add, one thing to note. Don't have any Internet facing data that is sensitive. If you don't need it, don't collect or store it on the server that is exposed to the Internet.
Fiddler is a great way to try to spoof data in your own application to see if there is a security hole there are video tutorials on how to do this on the download site: http://www.fiddler2.com/fiddler2/
Here are some more tutorials on security from Microsoft including crypto:
http://msdn.microsoft.com/en-us/library/ms978512.aspx
Another good overview on security: http://davidhayden.com/blog/dave/archive/2005/10/23/2527.aspx
One last good link, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication: http://msdn.microsoft.com/en-us/library/aa302387.aspx
Also, a stackoverflow question that is related: What measures should I take to secure my multi-tier ASP.NET application?