Web Application. Security. Mike Shema. FREE eTips at xapilolito.cf® ty. h a web human and machine readable formats such as PDF, HTML, and XML. Web application security may seem like a complex, daunting task. This book is a quick guide to understanding how to make your website. Web application security may seem like a complex, daunting task. Ltd (); License(s): Compliments of Qualys; Hardcover/Paperback N/A; eBook PDF.
|Language:||English, French, Hindi|
|Genre:||Fiction & Literature|
|ePub File Size:||30.50 MB|
|PDF File Size:||20.76 MB|
|Distribution:||Free* [*Registration needed]|
At first glance, this may seem like a task worthy of someone who holds a PhD in cryptography. You may want to choose a configuration that supports a wide range of browser versions, but you need to balance that with providing a high level of security and maintaining some level of performance.
The cryptographic algorithms and protocol versions supported by a site have a strong impact on the level of communications security it provides. Attacks with impressive sounding names like FREAK and DROWN and POODLE admittedly, the last one doesn't sound all that formidable have shown us that supporting dated protocol versions and algorithms presents a risk of browsers being tricked into using the weakest option supported by a server, making attack much easier.
Advancements in computing power and our understanding of the mathematics underlying algorithms also renders them less safe over time. How can we balance staying up to date with making sure our website remains compatible for a broad assortment of users who might be using dated browsers that only support older protocol versions and algorithms? Fortunately, there are tools that help make the job of selection a lot easier.
Note that the configuration generator mentioned above enables a browser security feature called HSTS by default, which might cause problems until you're ready to commit to using HTTPS for all communications long term.
We'll discuss HSTS a little later in this article. In some cases the protection might only be extended to handling form submissions that are considered sensitive.
Other times, it might only be used for resources that are considered sensitive, for example what a user might access after logging into the site. The trouble with this inconsistent approach is that anything that isn't served over HTTPS remains susceptible to the kinds of risks that were outlined earlier. For example, an attacker doing a man-in-the-middle attack could simply alter the form mentioned above to submit sensitive data over plaintext HTTP instead.
If the attacker injects executable code that will be executed in the context of our site, it isn't going to matter much that part of it is protected with HTTPS. As a result, simply shutting down the HTTP network port is rarely an option. For resources that will be accessed by web browsers, adopting a policy of redirecting all HTTP requests to those resources is the first step towards using HTTPS consistently.
Web Application Security for Dummies
Not all API clients are able to handle redirects. HSTS is an important feature to enable due to the strict policy it enforces. It also instructs the browser to disallow the user from bypassing the warning it displays if an invalid certificate is encountered when loading the site.
In addition to requiring little effort to enable in the browser, enabling HSTS on the server side can require as little as a single line of configuration. To address this risk some browsers allow websites to be added to a "HSTS Preload List" that is included with the browsers.
Once included in this list it will no longer be possible for the website to be accessed using HTTP, even on the first time a browser is interacting with the site.
Before deciding to enable HSTS, some potential challenges must first be considered. We don't always have control over how content can be loaded from external systems, for example from an ad network. This might require us to work with the owner of the external system to adopt HTTPS, or it might even involve temporarily setting up a proxy to serve the external content to our users over HTTPS until the external systems are updated.
Once HSTS is enabled, it cannot be disabled until the period specified in the header elapses. The decision to add your website to the Preload List is not one that should be taken lightly.
Unfortunately, not all browsers in use today support HSTS. It can not yet be counted on as a guaranteed way to enforce a strict policy for all users, so it is important to continue to redirect users from HTTP to HTTPS and employ the other protections mentioned in this article. Protect Cookies Browsers have a built-in security feature to help avoid disclosure of a cookie containing sensitive information.
Setting the "secure" flag in a cookie will instruct a browser to only send a cookie when using HTTPS. This is an important safeguard to make use of even when HSTS is enabled. Other Risks There are some other risks to be mindful of that can result in accidental disclosure of sensitive information despite using HTTPS. It is dangerous to put sensitive data inside of a URL. Doing so presents a risk if the URL is cached in browser history, not to mention if it is recorded in logs on the server side.
In addition, if the resource at the URL contains a link to an external site and the user clicks through, the sensitive data will be disclosed in the Referer header.
In addition, sensitive data might still be cached in the client, or by intermediate proxies if the client's browser is configured to use them and allow them to inspect HTTPS traffic. For ordinary users the contents of traffic will not be visible to a proxy, but a practice we've seen often for enterprises is to install a custom CA on their employees' systems so their threat mitigation and compliance systems can monitor traffic.
Consider using headers to disable caching to reduce the risk of leaking data due to caching. Verify Your Configuration As a last step, you should verify your configuration. There is a helpful online tool for that, too. Establishing a Web Application Security Program , presenting a framework of actions you can take to find and fix vulnerabilities in custom web applications.
This section provides a guide to choosing and using a scanner to automatically find and prioritize web application vulnerabilities. Introducing QualysGuard WAS , describing the ease and simplicity of using a popular web application scanner from Qualys. Ten Tips for Securing Web Applications. This last section provides a short list of steps to ensure stronger security for custom web applications. To learn more about these publications or to download free copies, visit: Share this article.
In fact web application security testing should be part of the normal QA tests. To ensure that a web application is secure you have to identify all security issues and vulnerabilities within the web application itself before a malicious hacker identifies and exploits them.
That is why it is very important that the web application vulnerabilities detection process is done throughout all of the SDLC stages, rather than once the web application is live.
We have a Secure Network Firewall
There are several different ways how you can detect vulnerabilities in web applications. You can scan the web application with a black box scanner , do a manual source code audit, use an automated white box scanner to identify coding problems, or do a manual security audit and penetration test. Which is the best method? There is no single bullet proof method that you can use to identify all vulnerabilities in a web application. Each of the methods mentioned above has its own pros and cons.
For example while an automated tool will discover almost all technical vulnerabilities, more than a seasoned penetration tester can, it cannot identify logical vulnerabilities. Logical vulnerabilities can only be identified with a manual audit.
On the other hand, a manual audit is not efficient and can take a considerable amount of time and cost a fortune. With a manual audit there are also the risks of leaving unidentified vulnerabilities.
White box testing will complicate the development procedures and can only be done by the developers who have access to the code. If budget and time permits it is recommended to use a variety of all available tools and testing methodologies, but in reality no one has the time and budget to permit it.
Getting Started with Web Application Security
Therefore one has to choose the most cost effective solution that can realistically emulate a malicious hacker trying to hack a website; use a black box scanner, also known as web application security scanner or web vulnerability scanner.
Of course an automated web application security scan should always be accompanied by a manual audit. Only by using both methodologies you can identify all types of vulnerabilities, i.
A black box web vulnerability scanner, also known as a web application security scanner is a software that can automatically scan websites and web applications and identify vulnerabilities and security issues within them.
Web application security scanners have become really popular because they automate most of the vulnerability detection process and are typically very easy to use.
For example to use a white box scanner one has to be a developer and needs access to the source code, while a black box scanner can be used by almost any member of the technical teams, such as QA team members, software testers, product and project managers etc. There are several commercial and non commercial web vulnerbility scanners available on the internet and choosing the one that meets all your requirements is not an easy task.
The best way to find out which one is the best scanner for you is to test them all. Below are some guidelines to help you plan your testing and identify the right web application security scanner.
There are many factors which will affect your decision when choosing a web application security scanner. I recommend and always preferred commercial software. There are several reasons why, such as frequent updates of the software itself and the web security checks, ease of use, professional support and several others. For more information and detailed explanation of the advantages of using a commercial solution as opposed to a free one, refer to the article Should you pay for a web application security scanner?
Will you be scanning a custom web application built with. Whichever web application you will be scanning, the security scanner you will be choosing should be able to crawl and scan your website. Although this sounds like the obvious, in practise it seems not.
Damn Vulnerable Web Application (DVWA)
For example many choose a web vulnerability scanner based on the results of a number of comparison reports released over a number of years, or based on what the web security evangelists say.
Although such information can be of an indication of who are the major players, your downloading decision should not be totally based on it.
It is a wrong approach because unless the web applications you want to scan are identical in terms of coding and technology to these broken web applications, which I really doubt, you are just wasting your time. Such vulnerable web applications are built for educational purposes and are not in any way similar to a real live web application. The best approach to identify the right web application security scanner is to launch several security scans using different scanners against a web application, or a number of web applications that your business uses.
Note that it is recommended to launch web security scans against staging and testing web applications, unless you really know what you are doing. During test scans verify which of the automated black box scanners has the best crawler; the component that is used to identify all entry points and attack surfaces in a web application prior to start attacking it. The crawler is most probably the most important component because a vulnerability cannot be detected unless the vulnerable entry point on a web application is identified by the crawler.
To identify the scanner which has the ability to identify all attack surfaces compare the list of pages, directories, files and input parameters each crawler identified and see which of them identified the most or ideally all parameters. If a particular scanner was unable to crawl the web application properly, it might also mean that it might need to be configured, which brings us to the next point; easy to use software.
While some black box scanners can automatically crawl almost any type of website using an out of the box configuration, some others might need to be configured before launching a scan.
Because web application security is a niche industry, not all businesses will have web security specialists who are able to understand and configure a web application security scanner. Therefore go for an easy to use scanner that can automatically detect and adapt to most of the common scenarios, such as custom error pages, anti-CSRF protection on website, URL rewrite rules etc.
Easy to use web application security scanners will have a better return of investment because you do not have to hire specialists, or train team members to use them.
The next factor used in comparing web application security scanner is which of the scanners can identify the most vulnerabilities, which of course are not false positives. If a scanner reports a lot of false positives, developers, QA people and security professionals will spend more time verifying the findings rather than focusing on remediations, hence try to avoid it.
For more more information about false positives and their negative effect on web application security refer to the article The Problem of False Positives in Web Application Security and How to Tackle Them. The more a web application security scanner can automate, the better it is. For example imagine a web application with visible input fields, which by today's standards is a small application.
If a penetration tester had to manually test each input on the web application for all known variants of cross-site scripting xss vulnerabilities, he would need to launch around different tests. If each test takes around 2 minutes to complete, and if all works smoothly such test would take around 12 days should the penetration tester work 24 hours a day. And this is just about the visible parameters. And what about the under the hood parameters?
Typically there is much more going on in a web application hidden under the hood rather than what can be seen. Therefore it is difficult for a penetration tester to rapidly identify all attack surfaces of a web application, while an automated web application security scanner can do the same test and identify all "invisible" parameters in around 2 or 3 hours.
But it is not just about time and money. When hiring a security professional for a web application penetration test, it will be limited to the professional's knowledge, while on the other hand a typical commercial web application security scanner contains large numbers of security checks and variants backed by years of research and experience. Therefore automation is another important feature to look for.
By automating the security test will cost less and is done more efficiently. For more information about the advantages of automating web application vulnerability detection, refer to Why Web Vulnerability Testing Needs to be Automated.For example if an FTP server allows anonymous users to write to the server, a network scanner will identify such problem as a security threat.
As Good as the Administrator A web application firewall is a user configurable software or appliance, which means it depends on one of the weakest links in the web application security chain, the user. For example, a mobile app or other application might be distributed with a certificate or information about a custom CA that will be used to verify the identity of the site.
Getting Started with Web Application Security
For more more information about false positives and their negative effect on web application security refer to the article The Problem of False Positives in Web Application Security and How to Tackle Them.
A Complete guide to securing the Web Application Environment Scanning a web application with an automated web application security scanner will help you identify technical vulnerabilities and secure parts of the web application itself. The attacker can also launch SQL attacks by gaining such knowledge. By doing so administrators can uncover a lot of information, such as suspicious behaviour on the server and therefore can better protect the web server better, or in case of an attack, can easily trace back what happened and what was exploited during the attack.
However, some of them can protect you against denial of service attacks.