SlideShare a Scribd company logo

A security note for web developers

John Ombagi, profile picture
John Ombagi

The document provides essential security design practices for web developers, emphasizing the importance of confidentiality, integrity, and availability in web applications. It reviews the OWASP Top 10 vulnerabilities and suggests strategies for secure coding, session management, password handling, and proper web deployment. Developers are encouraged to implement measures like data validation, session security, and using HTTPS to protect against common threats.

Technology
Related topics:
Web Design InsightsWeb Security Overview Information Security Penetration-Testing
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
Basic Web Security Design for Developers By John (Troon) Ombagi A security note to web developers on how they can instill safe security design practices on their web development projects. @iLabAfrica
   1 Basic Web Security Design for Developers Fundamentals of Information Security The basic fundamental concept of information security is to establish Confidentiality, Integrity, and Availability. Only authorized persons should be able to access certain information. This information should be trusted (not manipulated or corrupted in any ways) and has to be there whenever needed. Security is a tradeoff. Tightening a website security means sacrificing some functionalities and/or usability. Take for instance the Google search engine, imagine answering a captcha challenge each time you want to make a search request. Irritating, right? Designing your website security and utilization of security within your web application means you have to identify and understand what you are trying to protect (threat modeling). After figuring out your potential threats, you work towards balancing functionality and usability. For instance a social media web application can register a client’s session for a longer time compared to an internet banking website, they both have different impacts in case of a session abuse.
   2 OWASP TOP 10 OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 list provides basic techniques to protect against these high risk problem areas and also provides guidance on how to mitigate these risks (https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf). The OWASP community is actively working on OWASP TOP 10 for 2017. Currently (at the time of writing), release for 2013 remains the official current final release and the most critical web application security risks are:  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards
   3 A Security Note for Web Developers. As a penetration tester, there are common vulnerabilities and misconfigurations that appear across different web application testing engagements. This section dives into some of these common vulnerabilities (pointing back to the OWASP Top 10, 2013) from a security testing point of view and explains how developers can avoid (or minimize) making these common mistakes. Remember, some of these security issues might have no impact in your web application, it’s important to understand your threats and what matters most in the critical parts of your web application. 1). Input Validation (A1, A3) Any point in your web application where data from untrusted source is take in, should be looked into with special attention. Untrusted data source is any source that provides data that you didn’t generate or data coming outside the application like user inputs. Your intended web application users can be the abusers. Always validate any data input. This helps cut down injection and XSS attacks. a) Client-Side then Backend Many web developers use JavaScript to validate user input and assume this is enough! Client side data validation can be bypassed by placing a proxy between a browser and a web application. Make sure you do another data validation at the back-end before processing requests from the client side. b) Regex and Blacklisting are hard. Another big mistake web developers do is trying to create their own filters for data validation by using regular expressions (regex). Most of these filters can be bypassed by abusing a rule not captured in the developer’s applied filter. There is so much bad data to filter, defining these unwanted data (black listing) is harder compared to defining what a clean data is (whitelisting). Make use whitelisting, set input size limits, check for data-types and stripe all web tags from data inputs.
   4 2). Securing sessions (A2, A4, A8) HTTP is stateless. For persistence, session association and/or authorization, session IDs, cookies or anything unique that can be stored in the client side and used in HTTP request employs a sense of session identity. If these elements of identity in a web application are not well secured, they may break authorization or affect the validity of user sessions. a). Don't Reuse Session IDs If a web application generates a unique session ID each time a user visits, that’s fine. The problem though, is when a user signs in a web application and the same session ID generated when unauthenticated is reused when authenticated. An attacker can perform what is known as a session fixation. b) Remove Session IDs from URLs Session IDs should not form part of an URL in any of the web requests. If there is a redirection to an external web resource, the redirection might leak out the session ID. One can use secure HTTP headers for session IDs. If possible, avoid URL redirections in your web application, if you must them, then specify URLs that are allowed and notify the user whenever redirecting out to external websites. c) Track Sessions A good web application should alert a user whenever an existing valid session is available in the web server and yet another new session has been created. For all established sessions, the web-server should be able to track them and make them expire after a period of time prompting the user to login again. Another important security design feature web developers can employ is enforcing users to re-authenticate when doing a critical action on a web application like deleting an account or making a card transaction. d) How random is random? Session IDs should be as random as possible. If an attacker is able to predict the next session ID a web application is going to generate, the users are at risk. These session IDs should be unique and hard to brute force. e) Don’t transmit Session IDs in Clear Text An attacker sniffing packets in a network can capture session IDs transmitted in plain text. Using SSL/TLS enables web application users use secure
   5 communication channels that don’t transmit data in clear plain text. Some web developers assume encoding these IDs solves the problem of transmission over a protocol that carry data in plain text. Encoding is not encrypting. A base64 encoded string can be decoded. 3) Data Transmission Security (A6) As mentioned earlier, HTTP is an insecure channel for transmitting data that is supposed to be kept private like credentials. Using HTTPS forms a secure communication exchange channel for transmitting data in a web application. Unfortunately, the green padlock on a client’s browser is not enough. How HTTPS is implemented matters a lot. A web application should not mix HTTP and HTTPS content. A web application developer should have in mind users initiating a connection (like getting a login page) over HTTP or users under a downgrade attack (HTTPS to HTTP). Below are some Security Header to help improve the secure data exchange channels in a web application by enforcing secure browser headers. These headers add checks and controls on the client-side that the server can’t directly control. i) HTTP Strict Transport Security (HSTS). With HSTS, a user makes only one insecure connection and upon receiving a response with HSTS header, all other requests will be made secure by using internal redirection 307 before reaching out to the webserver. ii) HTTP Public Key Pinning (HPKP) is another great way of protecting the web users against compromised SSL certificates. Public key pinning allows trusted SSL certificates to be whitelisted and instructs the browser on how to behave in the future whenever interacting with the web application in a secure channel. iii) Lastly, we have Content Security Policy (CSP) which provides a way of white-listing what resources your web application is allowed to load and which scripts to run. This prevents attackers from embedding external resource in the web application or modifying the document object model (DOM).
   6 4) Password Management (A4, A7) Passwords allow users to be authenticated in a web application, in case of an attack, they should be in a format that doesn’t expose actual passwords of the registered users. Passwords should not be stored in the back-end, in plaintext. Use password salting and peppering algorithms to disguise the initial password before storage. Don’t roll out your own crypto (unless you are good at it and whatever you have created has been tested and approved by other crypto experts). Use provided crypto libraries within your development frameworks. For instance, here are some publicly tested and approved cryptographic libraries you can use in your web application, bcrypt, PBKDF2 (key derivation function) or scrypt. I) Password validation Some web developers force users to use a certain pattern in their password creation. This is not entirely bad but still it discourages the users from creating complex passwords they can remember. Instead just use an indicator for strong and weak passwords (you can use something like this http://davidstutz.github.io/bootstrap-strength-meter without enforcing a particular format. Also, a strict password pattern means an attacker can use a rule-based password cracking technique which increases the chances of positive results.
   7 ii) Account Enumeration Login and password rest forms should not be too detailed. If a user doesn’t exist in a web application or maybe the password is wrong, give a generic message that an attack cannot tell which one of the two is valid and which one is not. On password reset make the user submit something he/she knows or he/she has before disclosing any personal identifiable information (PII). For example https://accounts.ecitizen.go.ke/forgot-password has a very bad password rest feature (you can enter anyone’s/random email or increment your ID number with 1 to get another person’s PII). If a user provides an email or ID, let the user provide the phone number used during registration and send a validation token via SMS for him/her to continue with the reset process. iii) Brute-force Attacks A good web application should counter any automated tool that send a lot of web requests in a very short time. Introduce a captcha on every critical web form in your website or simply show the captcha once you notice presences of an automation tool sending requests e.g. web headers from such known tools (like web scanners) and request time (if a lot of request are done in milliseconds and originate from a single user, it is likely an automation). Another way of countering brute-force attacks is using unique IDs for each HTTP response that must be included in the HTTP requests. This ID should not be reused or easy to predict the next one. One can also throttle requests from a particular client that is suspected of sending automated/malicious requests.
   8 5) Web Deployment (A6, A5, A9) Choosing where to host your web application is very important. Some web apps might require a dedicated hosting rather than a shared hosting. Another things to consider for your hosting is scalability, availability, extra layer of security (like against DOS attacks) and it should be a reputable hosting company. Other things that can go wrong in web deployment:  Running other multiple services that you don’t need on a web server.  Using outdated software/applications on a web-server  Not updating a web server’s OS and running old/unpatched applications  Binding critical services (like MySQL) on a public IP o Use 127.0.0.1 unless it’s intended to be accessed remotely by other services on a public IP  Using a super user account for every service running on a server o Employ principle of lest privilege.  Not setting folder permissions on the web server  Using default credentials (a common sucker!)  Not having a backup policy o In case things get out of control, you should be able to bounce back – business continuity is a real thing  Hosting in countries under oppressive regimes or civil war etc. o Do you want free web hosting in Turkmenistan? Defense in depth is always important when trying to secure anything. So installing a Web Application Firewall can reduce some of the aforementioned common attacks. Log everything on your web server and make sure the time is correctly set (use Network Time Protocol), this will save headaches when responding to a security incident and recreating events timeline. John Ombagi, IT Security Assistant, @iLabAfrica jnyabuti@strathmore.edu

More Related Content

PDF
Session7-XSS & CSRF
zakieh alizadeh
 
PDF
C01461422
IOSR Journals
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PDF
OWASPTop 10
InnoTech
 
PDF
React security vulnerabilities
AngelinaJasper
 
PDF
Lecture #24 : Cross Site Request Forgery (CSRF)
Dr. Ramchandra Mangrulkar
 
PPTX
Web Security
Ali Habeeb
 
PDF
Security Awareness
Lucas Hendrich
 
Session7-XSS & CSRF
zakieh alizadeh
 
C01461422
IOSR Journals
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASPTop 10
InnoTech
 
React security vulnerabilities
AngelinaJasper
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Dr. Ramchandra Mangrulkar
 
Web Security
Ali Habeeb
 
Security Awareness
Lucas Hendrich
 

What's hot (20)

PDF
2013 OWASP Top 10
bilcorry
 
PPT
Hacking web applications
phanleson
 
PDF
T04505103106
IJERA Editor
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
PDF
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
2 . web app s canners
Rashid Khatmey
 
PPT
XSS and CSRF with HTML5
Shreeraj Shah
 
PDF
Owasp Top 10
Shivam Porwal
 
PDF
CSRF Attacks and its Defence using Middleware
ijtsrd
 
PDF
Owasp top 10
YasserElsnbary
 
PDF
I1804015458
IOSR Journals
 
PDF
Session2-Application Threat Modeling
zakieh alizadeh
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PDF
S5-Authorization
zakieh alizadeh
 
2013 OWASP Top 10
bilcorry
 
Hacking web applications
phanleson
 
T04505103106
IJERA Editor
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
2 . web app s canners
Rashid Khatmey
 
XSS and CSRF with HTML5
Shreeraj Shah
 
Owasp Top 10
Shivam Porwal
 
CSRF Attacks and its Defence using Middleware
ijtsrd
 
Owasp top 10
YasserElsnbary
 
I1804015458
IOSR Journals
 
Session2-Application Threat Modeling
zakieh alizadeh
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
S5-Authorization
zakieh alizadeh
 
Ad

Similar to A security note for web developers (20)

PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
PPT
Secure code practices
Hina Rawal
 
PPT
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PDF
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
PDF
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
PDF
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PDF
Web application security (eng)
Anatoliy Okhotnikov
 
DOCX
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
PPTX
Secure Software Engineering
Rohitha Liyanagama
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PDF
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
PDF
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
PPTX
CyberSecurityppt. pptx
iamayesha2526
 
PPTX
Web security for app developers
Pablo Gazmuri
 
PDF
Tuenti: Web Application Security
Tuenti
 
PDF
Tuenti: Web Application Security
Guille -bisho-
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PPT
Web application development_dos_and_donts
huynhvanphuc
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Secure code practices
Hina Rawal
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
OWASP Top Ten in Practice
Security Innovation
 
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
How to Test for The OWASP Top Ten
Security Innovation
 
Web application security (eng)
Anatoliy Okhotnikov
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
Secure Software Engineering
Rohitha Liyanagama
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
CyberSecurityppt. pptx
iamayesha2526
 
Web security for app developers
Pablo Gazmuri
 
Tuenti: Web Application Security
Tuenti
 
Tuenti: Web Application Security
Guille -bisho-
 
Owasp top 10 2017
ibrahimumer2
 
Web application development_dos_and_donts
huynhvanphuc
 
Ad

Recently uploaded (20)

PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Approach and Philosophy of On baking technology
30anthuong17
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
A Presentation on Artificial Intelligence
memembruh336
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

A security note for web developers

  • 1. Basic Web Security Design for Developers By John (Troon) Ombagi A security note to web developers on how they can instill safe security design practices on their web development projects. @iLabAfrica
  • 2.    1 Basic Web Security Design for Developers Fundamentals of Information Security The basic fundamental concept of information security is to establish Confidentiality, Integrity, and Availability. Only authorized persons should be able to access certain information. This information should be trusted (not manipulated or corrupted in any ways) and has to be there whenever needed. Security is a tradeoff. Tightening a website security means sacrificing some functionalities and/or usability. Take for instance the Google search engine, imagine answering a captcha challenge each time you want to make a search request. Irritating, right? Designing your website security and utilization of security within your web application means you have to identify and understand what you are trying to protect (threat modeling). After figuring out your potential threats, you work towards balancing functionality and usability. For instance a social media web application can register a client’s session for a longer time compared to an internet banking website, they both have different impacts in case of a session abuse.
  • 3.    2 OWASP TOP 10 OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 list provides basic techniques to protect against these high risk problem areas and also provides guidance on how to mitigate these risks (https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf). The OWASP community is actively working on OWASP TOP 10 for 2017. Currently (at the time of writing), release for 2013 remains the official current final release and the most critical web application security risks are:  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards
  • 4.    3 A Security Note for Web Developers. As a penetration tester, there are common vulnerabilities and misconfigurations that appear across different web application testing engagements. This section dives into some of these common vulnerabilities (pointing back to the OWASP Top 10, 2013) from a security testing point of view and explains how developers can avoid (or minimize) making these common mistakes. Remember, some of these security issues might have no impact in your web application, it’s important to understand your threats and what matters most in the critical parts of your web application. 1). Input Validation (A1, A3) Any point in your web application where data from untrusted source is take in, should be looked into with special attention. Untrusted data source is any source that provides data that you didn’t generate or data coming outside the application like user inputs. Your intended web application users can be the abusers. Always validate any data input. This helps cut down injection and XSS attacks. a) Client-Side then Backend Many web developers use JavaScript to validate user input and assume this is enough! Client side data validation can be bypassed by placing a proxy between a browser and a web application. Make sure you do another data validation at the back-end before processing requests from the client side. b) Regex and Blacklisting are hard. Another big mistake web developers do is trying to create their own filters for data validation by using regular expressions (regex). Most of these filters can be bypassed by abusing a rule not captured in the developer’s applied filter. There is so much bad data to filter, defining these unwanted data (black listing) is harder compared to defining what a clean data is (whitelisting). Make use whitelisting, set input size limits, check for data-types and stripe all web tags from data inputs.
  • 5.    4 2). Securing sessions (A2, A4, A8) HTTP is stateless. For persistence, session association and/or authorization, session IDs, cookies or anything unique that can be stored in the client side and used in HTTP request employs a sense of session identity. If these elements of identity in a web application are not well secured, they may break authorization or affect the validity of user sessions. a). Don't Reuse Session IDs If a web application generates a unique session ID each time a user visits, that’s fine. The problem though, is when a user signs in a web application and the same session ID generated when unauthenticated is reused when authenticated. An attacker can perform what is known as a session fixation. b) Remove Session IDs from URLs Session IDs should not form part of an URL in any of the web requests. If there is a redirection to an external web resource, the redirection might leak out the session ID. One can use secure HTTP headers for session IDs. If possible, avoid URL redirections in your web application, if you must them, then specify URLs that are allowed and notify the user whenever redirecting out to external websites. c) Track Sessions A good web application should alert a user whenever an existing valid session is available in the web server and yet another new session has been created. For all established sessions, the web-server should be able to track them and make them expire after a period of time prompting the user to login again. Another important security design feature web developers can employ is enforcing users to re-authenticate when doing a critical action on a web application like deleting an account or making a card transaction. d) How random is random? Session IDs should be as random as possible. If an attacker is able to predict the next session ID a web application is going to generate, the users are at risk. These session IDs should be unique and hard to brute force. e) Don’t transmit Session IDs in Clear Text An attacker sniffing packets in a network can capture session IDs transmitted in plain text. Using SSL/TLS enables web application users use secure
  • 6.    5 communication channels that don’t transmit data in clear plain text. Some web developers assume encoding these IDs solves the problem of transmission over a protocol that carry data in plain text. Encoding is not encrypting. A base64 encoded string can be decoded. 3) Data Transmission Security (A6) As mentioned earlier, HTTP is an insecure channel for transmitting data that is supposed to be kept private like credentials. Using HTTPS forms a secure communication exchange channel for transmitting data in a web application. Unfortunately, the green padlock on a client’s browser is not enough. How HTTPS is implemented matters a lot. A web application should not mix HTTP and HTTPS content. A web application developer should have in mind users initiating a connection (like getting a login page) over HTTP or users under a downgrade attack (HTTPS to HTTP). Below are some Security Header to help improve the secure data exchange channels in a web application by enforcing secure browser headers. These headers add checks and controls on the client-side that the server can’t directly control. i) HTTP Strict Transport Security (HSTS). With HSTS, a user makes only one insecure connection and upon receiving a response with HSTS header, all other requests will be made secure by using internal redirection 307 before reaching out to the webserver. ii) HTTP Public Key Pinning (HPKP) is another great way of protecting the web users against compromised SSL certificates. Public key pinning allows trusted SSL certificates to be whitelisted and instructs the browser on how to behave in the future whenever interacting with the web application in a secure channel. iii) Lastly, we have Content Security Policy (CSP) which provides a way of white-listing what resources your web application is allowed to load and which scripts to run. This prevents attackers from embedding external resource in the web application or modifying the document object model (DOM).
  • 7.    6 4) Password Management (A4, A7) Passwords allow users to be authenticated in a web application, in case of an attack, they should be in a format that doesn’t expose actual passwords of the registered users. Passwords should not be stored in the back-end, in plaintext. Use password salting and peppering algorithms to disguise the initial password before storage. Don’t roll out your own crypto (unless you are good at it and whatever you have created has been tested and approved by other crypto experts). Use provided crypto libraries within your development frameworks. For instance, here are some publicly tested and approved cryptographic libraries you can use in your web application, bcrypt, PBKDF2 (key derivation function) or scrypt. I) Password validation Some web developers force users to use a certain pattern in their password creation. This is not entirely bad but still it discourages the users from creating complex passwords they can remember. Instead just use an indicator for strong and weak passwords (you can use something like this http://davidstutz.github.io/bootstrap-strength-meter without enforcing a particular format. Also, a strict password pattern means an attacker can use a rule-based password cracking technique which increases the chances of positive results.
  • 8.    7 ii) Account Enumeration Login and password rest forms should not be too detailed. If a user doesn’t exist in a web application or maybe the password is wrong, give a generic message that an attack cannot tell which one of the two is valid and which one is not. On password reset make the user submit something he/she knows or he/she has before disclosing any personal identifiable information (PII). For example https://accounts.ecitizen.go.ke/forgot-password has a very bad password rest feature (you can enter anyone’s/random email or increment your ID number with 1 to get another person’s PII). If a user provides an email or ID, let the user provide the phone number used during registration and send a validation token via SMS for him/her to continue with the reset process. iii) Brute-force Attacks A good web application should counter any automated tool that send a lot of web requests in a very short time. Introduce a captcha on every critical web form in your website or simply show the captcha once you notice presences of an automation tool sending requests e.g. web headers from such known tools (like web scanners) and request time (if a lot of request are done in milliseconds and originate from a single user, it is likely an automation). Another way of countering brute-force attacks is using unique IDs for each HTTP response that must be included in the HTTP requests. This ID should not be reused or easy to predict the next one. One can also throttle requests from a particular client that is suspected of sending automated/malicious requests.
  • 9.    8 5) Web Deployment (A6, A5, A9) Choosing where to host your web application is very important. Some web apps might require a dedicated hosting rather than a shared hosting. Another things to consider for your hosting is scalability, availability, extra layer of security (like against DOS attacks) and it should be a reputable hosting company. Other things that can go wrong in web deployment:  Running other multiple services that you don’t need on a web server.  Using outdated software/applications on a web-server  Not updating a web server’s OS and running old/unpatched applications  Binding critical services (like MySQL) on a public IP o Use 127.0.0.1 unless it’s intended to be accessed remotely by other services on a public IP  Using a super user account for every service running on a server o Employ principle of lest privilege.  Not setting folder permissions on the web server  Using default credentials (a common sucker!)  Not having a backup policy o In case things get out of control, you should be able to bounce back – business continuity is a real thing  Hosting in countries under oppressive regimes or civil war etc. o Do you want free web hosting in Turkmenistan? Defense in depth is always important when trying to secure anything. So installing a Web Application Firewall can reduce some of the aforementioned common attacks. Log everything on your web server and make sure the time is correctly set (use Network Time Protocol), this will save headaches when responding to a security incident and recreating events timeline. John Ombagi, IT Security Assistant, @iLabAfrica jnyabuti@strathmore.edu