Web application security - the fast guide 1.1 | Page 151
Chapter 7 - Attack execution (3)
P a g e | 151
significant part of this subject focus on projecting the picture form the attacker
point of view with no direct attack proofing aspect so this part of the chapter
come as a reminder from the victim or attack proof perspective to give a list of
hints that should be taken into consideration to achieve an acceptable degree of
application level security noting that this is not by any mean an exhaustive list:
A. Beware lot of attacks depends on tricking and manipulating the user even
trust ones, do not ever trust the user.
B. Don’t store valuable information of the client
C. Check and recheck credentials on the server side.
D. Validate every input from the sever side, direct or indirect, submitted
through forms or through any other channel don’t simply depend on
client to do even the smallest check.
E. Control and minimize the permission level plugins and external libraries
have,
F. Normalize, sanitize and whitelist any URL passed to your site to make
sure no specially crafted URL compromise your application.
G. Encryption is your friend, try to use it whenever necessary specially when
the data are more accessible noting that understanding the used
algorithm and its suitability is essential to minimize the fake safety
scenarios.
H. Usability is important but remember Usability and security are furious
competitors. Make sure not to lose control over users input and behavior.
I. Email channels are very dangerous don’t click on any link or even open
any mail if you are quite sure that you know and trust the source.
J. If it is not visible it does not mean it is secure steganography be sure to
encrypt.
K. Secure your encryption keys, encryption is useless if the key was
compromised.
L. Don’t authenticate or authorize depending on what can be altered by
attacker.
M. Make sure to enforce powerful passwords policy and to check login
failure count from the server side.
N. make sure to implement the same logic at all the check points checking a
specific aspect.
O. Don’t give extra information to user that might facilitate compromising
your business logic. Verbose messages are not always desirable.
P. Single access point policy is preferable multi login interfaces and special
interfaces are not desirable.
Q. Be sure to isolate privileges control and monitor functionalities from user
functionalities.
R. Be sure to apply sanitization for special words of all used technologies.
S. Whitelist is more desirable than blacklist in most cases.
T. Be sure to keep the same rule over multistage functionalities.