A Guide to Building Secure Web Applications

Table of Contents

1. Introduction
Purpose Of This Document
Intended Audience
How to Use This Document
What This Document Is Not
How to Contribute
Future Content
2. Overview
What Are Web Applications?
What Are Web Services?
3. How Much Security Do You Really Need?
What are Risks, Threats and Vulnerabilities?
Measuring the Risk
4. Security Guidelines
Validate Input and Output
Fail Securely (Closed)
Keep it Simple
Use and Reuse Trusted Components
Defense in Depth
Only as Secure as the Weakest Link
Security By Obscurity Won't Work
Least Privilege
Compartmentalization (Separation of Privileges)
5. Architecture
General Considerations
Security from the Operating System
Security from the Network Infrastructure
6. Authentication
What is Authentication?
Types of Authentication
Browser Limitations
HTTP Basic
HTTP Digest
Forms Based Authentication
Digital Certificates (SSL and TLS)
Entity Authentication
Infrastructure Authentication
Password Based Authentication Systems
7. Managing User Sessions
Persistent vs. Non-Persistent
Secure vs. Non-Secure
How do Cookies work?
What's in a cookie?
Session Tokens
Cryptographic Algorithms for Session Tokens
Appropriate Key Space
Session Management Schemes
Session Time-out
Regeneration of Session Tokens
Session Forging/Brute-Forcing Detection and/or Lockout
Session Re-Authentication
Session Token Transmission
Session Tokens on Logout
Page Tokens
How do SSL and TLS Work?
8. Access Control and Authorization
Discretionary Access Control
Mandatory Access Control
Role Based Access Control
9. Event Logging
What to Log
Log Management
10. Data Validation
Validation Strategies
Accept Only Known Valid Data
Reject Known Bad Data
Sanitize All Data
Never Rely on Client-Side Data Validation
11. Preventing Common Problems
The Generic Meta-Characters Problem
Attacks on The Users
Cross-Site Scripting
Attacks on the System
Direct SQL Commands
Direct OS Commands
Path Traversal and Path Disclosure
Null Bytes
URL Encoding
Parameter Manipulation
Cookie Manipulation
HTTP Header Manipulation
HTML Form Field Manipulation
URL Manipulation
Vendors Patches
System Configuration
Comments in HTML
Old, Backup and Un-referenced Files
Debug Commands
Default Accounts
12. Privacy Considerations
The Dangers of Communal Web Browsers
Using personal data
Enhanced Privacy Login Options
Browser History
13. Cryptography
Symmetric Cryptography
Asymmetric, or Public Key, Cryptography
Digital Signatures
Hash Values
Implementing Cryptography
Cryptographic Toolkits and Libraries
Key Generation
Random Number Generation
Key Lengths