Web application security - the fast guide 1.1 | Page 152

Chapter 7 - Attack execution (3) P a g e | 152 U. Check intersect effect of defense mechanisms, what you use to protect might work against you. V. If it does not appear a test phase it does not mean it will not appear at operational phase, check and recheck multi instants, connections and users. W. Check and recheck common vulnerabilities and update, it might not be your fault it can be third party library or services X. Be sure to carefully control the usage of dynamically included code and path traversal sequence. Y. Using your server as a spam zombie is a serious attack that will affect your mail server reputation and performance.be sure to sanitize and validate the input of your mail form. Z. Use HTTPS when possible. AA. Remove any temporary, installation, debugging and testing nonoperational files from the server. BB. Do everything based on the worst scenario knowing that it will happen for sure. CC. Minimize the session timeout as possible. DD. Create a logging functionality as part your application, monitoring is very important. EE. Proper error handling and security logging is essential. FF. Never click links, especially for critical sites, use direct address or carefully reviewed bookmarks GG. Run with least possible privilege HH. Test, test, test black box, code audit 7.11 Evade Logging Avoiding getting caught is a very important issue for attacker specially with considering cybercrimes in most of the countries as serious felony that attacker should spend lot of time for in prison in addition to huge financial penalty and compensations. The other cause that makes that attacker desire to exploit the compromised application longer to gain more earnings. There is no magic wand that will erase attacker tracks but there are a set of methods used to try avoiding being logged or at least leave any real identity related information that lead to identify the attacker. Data sources available to trace attackers are available as Web Server Logs, Application Server Logs, Web Application’s custom audit trail and Operating system logs.