A Guide to Building Secure Web Applications 126
some-guy writes "The Open Web Application Security Project has released
A Guide to Building Secure Web Applications, Version 1.1
"While this document doesn't provide a silver bullet to cure all the ills, we hope it goes a
long way in taking the first step towards helping people understand the inherent problems
in web applications and build more secure web applications and Web Services in the
future...""
For those of you using PHP in particular... (Score:5, Informative)
---
Jedimom.com [jedimom.com], choo choo choosing you...
"click through" (Score:5, Informative)
This is one of my favorites. Most browsers fail SSL connections with a warning that allows the user to just "click through" if the certificate is expired, does not match the DNS name of the site, or is issued by an untrusted authority. Only the last of these should be a warning (since you may want to trust it anyway. The other two should be connection failures. I am glad they included this.
Re:Security - Why there is ignorance MONEY! (Score:3, Informative)
Project Manager: Make it work as quick as possiable, this just a demonstration.
Devloper: It works, but it isn't secure.
Project Manager: Next project, we do not have more features to add. Put security on the puch list of things to do if it goes production.
Devloper(Next week after site goes into production without speaking to the devloper): You know that site that was just supposed to be a demonstration, it has security problems.
Project Manager: Is it working?
Devloper: Yes.
Project Manager: Is the flaw easy to find?
Programmer: Not by your average user, but by someone looking yes.
Project Manager: I do not see a reason to spend the money to secure this application at this time. It seems to be in production just fine, you are a better devloper than what I thought.
Six Months down the road, the devloper gets strung up when someone accesses all of the inforamtion at the site. I have seen this happen far to many times in the real world.
Re:Secure Web Applications (Score:3, Informative)
Or a direct link: http://members.rogers.com/razvan.peteanu/best_pra
Re:What bugs me (Score:2, Informative)
IIS by default will throw the SQL error into the response (making it easier for developers to debug). If a developer doesn't trap/handle this and a user sees the error come up, they can find out a lot about the system. Then the user adds some quotation marks in with there inputs, and they could pass SQL instructions direct to the database.
This is a very real problem that occurs. Of course, the user would probably not be able to do meaningful damage without knowing the backend of the system, but they could still screw up your data tables.
Re:What bugs me (Score:2, Informative)
Security vulnerabilities aren't a person going "mirror, mirror, oh randomness mirror, give me a random string to hack this site".
it's all tied in together. For example securely failing is part of it. I personally will almost always check if a website can handle single quotes in HTML fields. Some of them do, some of them don't. Others don't and give away some such glarringly compromising error message that you can actually see the SQL statement.
here's a very simple one, take it home, think of it...
my user name is :
"Adam' \n go \n sp_addlogin 'myhaxx' , 'yourpass' \n go \n select '' = '" This statement might not even fail if the orginal statement is:
EXISTS( SELECT * FROM myUsers WHERE UserName = $UserName )
It's not as hard as you think it is, and just because you can't think of something, don't go thinking nobody else can.
Security is about being humble really.
Re:Sloppy samples (Score:2, Informative)
another resource (Score:3, Informative)
T
Mirror (Score:2, Informative)
If you're interested in helping out with the project, check out our SourceForge project page [sourceforge.net] and drop me a line [mailto] if you'd like to contribute or have suggestions or patches. The whole thing is now in DocBook format, so diff's are always appreciated.
Book that covers similar topics (Score:3, Informative)
DOWNLOAD SITE FIXED (Score:1, Informative)
Re:Version 1.2 (Score:2, Informative)
Re:For those of you using PHP in particular... (Score:1, Informative)
Sometimes the simplest solutions are the best, and doing more is just overkill. For example, suppose your 1000 php file project depends on register_globals being on. Instead of 'fixing' all the code so that it uses $_POST, or $_GET, or $_SESSION or $_COOKIE (and you will ALWAYS have to test all of them if input can come from either), you can just stick a couple of loops in a top level include file that iterate through those globals and register the named variables themselves (with a couple of small checks, of course, hehehe).