web应用的安全问题security of web application

The goal of application security:
To prevent unauthorized disclosure, alteration and destruction of data whenever it is stored,processed or transmitted.

Firewall and SSL doesn't prevent all.

9 key considerations:
Sensitive Data
    Understand the data. If your application handles cardholder data, ensure Payment Card Industry requirements are met.

    Limit the amount of sensitive data stored.

Authentication
    authentication infrastructures.

Session Management
    Use SSL to create a secure communication channel.Always protect sensitive session information with cryptography.

    For web cookies, set the secure flag to TRUE.Set sensitive session cookies to avoid exposure through HTTP.

    Ensure session tokens are not easy to guess.

    Use HttpOnly to minimize exposure in the event of an XSS vulnerability.

    Avoid setting or exposing sessions through GET and POST requests.

    Implement logout functionality

    Limit the lifetime of session tokens   

Authorization
    Apply the principle of least privilege(Who has access, Type of access, Duration of access)

    Ensure default Access Control Lists(ACLs) don't give too much access.

    Perform role checks before allowing access to operations that could reveal sensitive data.

    Perform periodic reviews of authorization lists and permissions.

Input validation(sql injection, XSS, buffer overflow, JSON data, upload file)

    Assume all input is malicious.

    Perform data validation at input points as well as just before use in the processing component

    Do not accept commands from the user unless you parse and validate

    Be aware of special commands, characters and quoting

    Check authorization before acting.

sql injection:
    Parameterize database queries or use stored procedure calls if they're permitted.

    Classic business logic checking(data type, length, range, content checking)

    For legacy code where parameterize or sp calls aren't possible, sanitization can be considered.

XSS:
    Never insert untrusted data into an open Javascript region or style element  or tag element or HTML comment.

    Use HTMLEncode and URLEncode or IVEncoder to encode output that includes user input.

buffer overflow:
    validate the legth of data

    Use the "safe" versions of libraries.

    Some compilers and OS have feature to help.

JSON data:
    Never pass to eval() function without confirm it is syntactically valid JSON.

    Whenever possible, a JSON-specific function should be used.

upload file:
    permit execution by file extensions or file permission settings.

    Is a .JPG file really a valid JPEG file?

    limit the size of a file

Tools:
    WebInspect:ASTA

    Fiddler: Users can view and manipulate both requests and responses


Parameter Manipulation
    Use session identifiers to reference state stored on the server side rather than using hidden form fields

    Protect hidden form fields using a technique like a cryptographic hash with a secret key known only on the server side, such as an HMAC.

Cryptography
    Without proper key management, cryptography is useless.

    Ensure information is protected as required by the cryptography policy.

    Do not develop your own cryptography algorithms.

Auditing and logging
    Do log key events such as transactions, login and logout events

    Do log critical application operations

    Do backup log files

    Do inspect log files

    Don't log session ID's

    Don't log PII(Personally Identifiable Information)

    Do not permit shared accounts

Exception handling
    Use exception handling throughtout the code base.

    Fail secure: sanitize sensitive data in all cases especially in failure situations.

    Return generic, harmless error messages to the client.    

Configuration Management
    Ensure application patches are appropriately applied as these may not covered by HPIT.

    Ensure the platform is hardened.

    Minimize number of administration interfaces & limit administrative access

    Use appropriate authentication & authorization before permitting cofiguration changes

    Ensure logging includes configuration changes