Web application security - the fast guide 1.1 | Page 152
Chapter 7 - Attack execution (3)
P a g e | 152
U. Check intersect effect of defense mechanisms, what you use to protect
might work against you.
V. If it does not appear a test phase it does not mean it will not appear at
operational phase, check and recheck multi instants, connections and
users.
W. Check and recheck common vulnerabilities and update, it might not be
your fault it can be third party library or services
X. Be sure to carefully control the usage of dynamically included code and
path traversal sequence.
Y. Using your server as a spam zombie is a serious attack that will affect
your mail server reputation and performance.be sure to sanitize and
validate the input of your mail form.
Z. Use HTTPS when possible.
AA. Remove any temporary, installation, debugging and testing
nonoperational files from the server.
BB. Do everything based on the worst scenario knowing that it will happen
for sure.
CC. Minimize the session timeout as possible.
DD.
Create a logging functionality as part your application, monitoring
is very important.
EE. Proper error handling and security logging is essential.
FF. Never click links, especially for critical sites, use direct address or
carefully reviewed bookmarks
GG. Run with least possible privilege
HH.
Test, test, test black box, code audit
7.11 Evade Logging
Avoiding getting caught is a very important issue for attacker specially with
considering cybercrimes in most of the countries as serious felony that attacker
should spend lot of time for in prison in addition to huge financial penalty and
compensations.
The other cause that makes that attacker desire to exploit the compromised
application longer to gain more earnings.
There is no magic wand that will erase attacker tracks but there are a set of
methods used to try avoiding being logged or at least leave any real identity
related information that lead to identify the attacker.
Data sources available to trace attackers are available as Web Server Logs,
Application Server Logs, Web Application’s custom audit trail and Operating
system logs.