Return to
PatternsAndPracticesSecurityWiki
Web Application Security
J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Microsoft Corporation
Securing Your Network, Host, and Application
http://msdn.microsoft.com/library/en-us/dnnetsec/html/fa6thcm01.gif
Web Application Security Frame
| Category | Description |
| Input/Data Validation | How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters scrubs or rejects input before additional processing. |
| Authentication | Who are you? Authentication is the process that an entity uses to identify another entity, typically through credentials such as a user name and password. |
| Authorization | What can you do? Authorization is the process that an application uses to control access to resources and operations. |
| Configuration Management | Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues. |
| Sensitive Data | Sensitive data is information that must be protected either in memory, over the wire, or in persistent stores. Your application must have a process for handling sensitive data. |
| Session Management | A session refers to a series of related interactions between a user and your Web application. Session management refers to how your application handles and protects these interactions. |
| Cryptography | How are you protecting secret information (confidentiality)? How are you tamperproofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity. |
| Parameter Manipulation | Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters. |
| Exception Management | When a method call in your application fails, what does your application do? How much does it reveal about the failure condition? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully? |
| Auditing and Logging | Who did what and when? Auditing and logging refer to how your application records security-related events. |
Threats to Your Web Application
*
Input Validation: Buffer overflows; Cross-Site Scripting; SQL Injection; Cannonicalization attacks
*
Authentication: Network eavesdropping; Brute force attacks; Dictionary attacks; Cookie replay attacks; Credential theft
*
Authorization: Elevation of privilege; Disclosure of confidential data; Data tampering; Luring attacks
*
Configuration Management: Unauthorized access to administration interfaces; Unauthorized access to configuration stores; Retrieval of clear text; configuration secrets; No individual accountability; Over privileged process and service accounts
*
Sensitive Data: Access sensitive data in storage; Network eavesdropping; Information Disclosure
*
Session Management: Session Hijacking; Session Replay; Man in the Middle
*
Cryptography: Poor key generation or key management; weak or custom encryption
*
Parameter Manipulation: Query string manipulation; Form field manipulation; Cookie manipulation; HTTP header manipulation
*
Exception Management: System or Application Details Are Revealed; Denial of service
*
Auditing and Logging: User denies performing an operation; Attacker exploits an application without trace; Attacker covers his tracks
Guidelines for Your Web Applications
*
Input Validation : Don’t trust input; validate input: length, range, format and type; constrain, reject, sanitize input
*
Authentication: Use strong password policies; Don’t store credentials; Encrypt communication channels to secure authentication tokens; use
HTTPs only with Forms cookies
*
Authorization: Use least privilege accounts; Consider granularity of access; Enforce separation of privileges
*
Configuration Management: Use least privileged service accounts; Don’t store credentials in plaintext; Use strong authentication and authorization on administrative interfaces; Don’t use the LSA; avoid storing sensitive information in the web space
*
Sensitive Data: Don’t store secrets in software; Enforce separation of privileges; Encrypt sensitive data over the wire; Secure the channel
*
Session Management: Partition site by anonymous, identified and authenticated; reduce the timout; avoid storing sensitive data in Session; Secure the channel
*
Parameter Manipulation: Don’t trust fields the client can manipulate (Query string, Form fields, Cookie values, HTTP headers)
*
Exception Management: Use structured exception handling (try-catch); Only catch and wrap exceptions if the operation adds value/information; Don't reveal sensitive system or app info; Don't log private data (passwords ... etc.)
*
Cryptography: Don’t roll your own; XOR is not encryption;
RNGCryptoServiceProvider for random numbers; Avoid key management (use DPAPI); Cycle your keys
*
Auditing and Logging: identify malign or malicious behavior; know your baseline (what does good traffic look like); instrument to expose behavior that can be watched (the big mistake here is typically app instrumentation is completely missing)
Return to
PatternsAndPracticesSecurityWiki
WindowsClient: Several WPF Localization questions
Silverlight: Commitments
Mix Online: When Projects Fall Apart
Channel 10: Adding Flip 3D to Windows 7's Taskbar
