Intro
You must enforce access control - only allow users in who have privileges
Don't show diretory listings (.htaccess)
Deny access by default - require full id checking
Enforce record ownership before allowing create/read/update/delete privileges
Always use access control mechanisms at all requests
Misconfigurations
Use best practices to combat security misconfiguration vulnerabilities in your
- Directory Listings
- Application test scripts
- Application default files
Preventing Application Errors
Check incoming requests for expected parameters and values for your app
When a parameter is missing, issue a proper error message or use default values
Applications should verify that their input consists of valid characters after decoding
Enforce values within the expected ranges and types
Verify that the data belongs to the set offered to the client
Do not output debugging error messages or exceptions in a production environment
Cross-Site Scripting (XSS)
A malicious script is echoed back into HTML returned from a trusted site and runs under trusted context
The following things can happen:
- Steal your cookies for the domain that you are browsing
- Completely modify the content of any page that you see on this domain
- Track every action you do in that browser
- Redirect you to a phishing site
- Exploit browser vulnerabilities to take over the machine
Positive security model accepts only good object references - block everything except what is allowed
Negative security model blocks all known exploits - though new exploits are discovered every day
Known Vulnerabilities
There are a couple of databases with known vulnerabilities
Logging
It is best to have s proper logging system in place to ensure all suspicious activity is documented
Things to Log:
- Login attempts
- Port scanning
- Warnings
- Errors
Review the logs!