Assessing the Security of Your Web Applications
Now we know in theory how a malicious user thinks. We also have some idea about who may be at risk. The remainder of this article will focus on security issues and measures that can be implemented by web site developers in protecting an organization's assets. This is important because the web site administrators cannot easily enforce the client-side security measures. What follows is a list and description of security-related exposures.
A cookie is a small piece of data which is sent from a web server to a web browser when that browser visits the server's site. The cookie is stored on the user's machine, but it is not an executable program and cannot do anything to that machine. However, cookies may allow a malicious user to hijack web sessions and view, modify or otherwise exploit the information related to another user's session. A hacker may obtain the cookie by various means, including physical access or network sniffing, as well as guessing the cookie's contents. Next, the hacker can try to impersonate the user by hijacking the user's sessions. This is an especially serious issue with shared workstations, cyber cafés and public kiosk environments.
Sometimes cookies are used to store information such as user host name, password, account ID, session ID and other user profile information. Cookies are often used to maintain session information between the user and his shopping cart. Two types of cookies exist:
Persistent cookies have an expiration date and are stored on a user's hard disk until that date. A persistent cookie can be used to track a user's browsing habits by identifying her whenever she returns to a site.
Non-persistent cookies are stored in the web browser's memory. They last only until the browser is closed and are then destroyed.
If a user is able to capture the cookies by sniffing on the network, or by any other means, he may be able to gain unauthorized access to personal information, including credit card number, passwords, user ID and mailing address.
The security measures you can take are:
Use non-persistent cookies instead of persistent cookies.
If you must use persistent cookies, then specify a short duration for the cookie's life. The longer the time until cookie expiration, the larger the risk.
Avoid application features that use persistent cookies to store privacy-related information. Example: “Please check to remember user name and password.”
Use the secure tag, so that the cookie is sent only if a secure channel (https) is being used.
Encrypt the information in the cookies. Some web sites split one cookie into many cookies that are further encrypted.
Very simply, form manipulation involves saving a web site's form and editing it off-line. Many times, this involves adding more entries to pull-down lists or increasing the size of text fields. The intent is usually to cause a buffer overflow on the server. In the past, client-side form validation has been used to offload the performance load from the server. While client-side validation is a good technique from a performance point of view, it is not the preferred solution from a security point of view. Poorly designed web applications may contain hidden fields that contain user IDs, account IDs or other key fields that define user sessions. Again, all this information can be manipulated off-line to gain access to another user's session.
Form manipulation is a simple technique and requires only a knowledge of HTML. Experienced programmers may be able to alter and submit forms by guessing the server-side code used to process the forms.
The following measures should be implemented to improve the security of an application against form manipulation:
Perform referrer checks on the server side. This will ensure that a given form was reached from the page that contains the hyperlink providing access to the form.
Process and validate the form input field values entered by the user for range, expected input (e.g., numeric vs. alphabets), strange characters and any other associations specific to the user.
Do not store critical user information in hidden fields in the form.
|Speed Up Your Web Site with Varnish||Jun 19, 2013|
|Non-Linux FOSS: libnotify, OS X Style||Jun 18, 2013|
|Containers—Not Virtual Machines—Are the Future Cloud||Jun 17, 2013|
|Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer||Jun 12, 2013|
|Weechat, Irssi's Little Brother||Jun 11, 2013|
|One Tail Just Isn't Enough||Jun 07, 2013|
- Speed Up Your Web Site with Varnish
- Containers—Not Virtual Machines—Are the Future Cloud
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Linux Systems Administrator
- Non-Linux FOSS: libnotify, OS X Style
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Android's Limits
- Reply to comment | Linux Journal
54 min 1 sec ago
- Yeah, user namespaces are
2 hours 10 min ago
- Cari Uang
5 hours 41 min ago
- user namespaces
8 hours 35 min ago
9 hours 57 sec ago
- One advantage with VMs
11 hours 29 min ago
- about info
12 hours 2 min ago
12 hours 3 min ago
12 hours 4 min ago
12 hours 6 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?