Client tier
Same origin policy - A script loaded from one origin cannot get or set properties of a document from a different origin
The term origin is defined using the following values:
- Domain name
- Protocol
- Port
Scripts can access other frames only from the same origin
Scripts can issue requests to documents from a different origin, butr annot view the corresponding responses
Middle tier
Data tier
Injection Flaws
Injection flaws such as SQL, OS, LDAP injection happen when unsanitized data is sent to an interpreter as part of a command or query; sending this data can cause the interpreter to run unauthorized commands as a result of the attacker's malicious data
SQL Injection
SQL injection is the most common type of injection
SQL injection is performed by an attacker inserting SQL database commands within a form field or onther parameter
If no sanitization is performed on the field, the commands are passed on the SQL server and executed
With SQL injection, an attacker is able to return and steal tables of information, make changes to records, or eevn delete the entire database
These are implications of SQL injection vulnerabilities:
- Information leakage through DB error messages
- Data extracted from your DB
- Attackers can take ccomplete control of your DB
- Execute commands on your system
- Complete system compromise
Form Login
Inputs must be sanitized otherwise they are vulnerable
Consider the following form:
They are generally set up as the following SQL:
query = "SELECT * FROM tUsers
WHERE userid= '" + iUserID + "'
AND password = '" + iPassword + "'";
If the user types in ' or 1=1 -- in the Username field, the SQL statement resolves to true and the user is in!
Protection from SQL Injection
Ues input validation whenever possible, accept only knows good values, rather than sanitizing
Never use dynamic queries
Use parameterized query APIs because these APIs encode the user input and make sure that it doesn't break the SQL statements
Use stored procedures because they are generally sage from SQL injection
Note: Concatenating arguments or using exec() within a stored procedure can make it vulnerable
Avoid detailed error messages
The attacker can use the information generated in the error message to construct an attack
Enforce least privilege
Make sure connections to the database use the least privilege necessary
Watch out for canonicalization
Decode input before trying to sanitize it
Avoid simple escaping
Simple escaping (for example, string replace functions) are weak and have been successfully exploited
Session Hijacking
You can embed a javascript script into a search bar that will display the Session ID
<script>alert(document.cookie);</script>
- Lock out account after 3 unsuccssful attempts
- Keep a log of failed attempts, but don't log the actual password
- Provide a generic error message for failed logins
- Do not allow users to use previous passwords
- Passwords should be stored as ahash or encrypted value with decryption strongly protected
- The entire login transaction should be sent through SSL
- A single mechanism should be provided for users to change their passwords
- Users should have to provide their new and old passwords
- Forgotten passwords can be emailed, but users must be reauthenticated to change their email addresses
- Make sure Session cookies expire in a timely manner
- Use secure coding techniques and modern developer frameworkds to strengthen application authentication and session management
- Combine the source IP address of the user with the Session ID
-
Ensure user reauthentication before allowing users to change their key account details, such as passwords
and emails
Note: Changes to passwords and presonal details are a common first action by hackers upon hijacking a web session - Forcing reauthentication terminates the jijacked session, which is s simple coding technique that reduces risk
- Terminating sessions after a timed period of user inactivity is another simple coding technique to consider
- Do not use permanent cookies to store session values
- Protect the session ID with SSL so that the value is not stolen over the network
- Generate Session IDs with long, complicated, random numbers that cannot be guessed
- Set Session IDs to expire after a certain period of time and expire after logging out
- Assign a new Session ID when switching to SSL or authenticating
- Replace the Session ID after logging in