Security Information and Review

Collection of security information and review

The Guideline to Improve Web Application Security

Author : Admin

In the previous discussion, The Essential Guidelines for Securing Platform Web Application that there are two category in the web vulnerability. In this discussion we will discuss about how to create web application more secure, with high availability and stable. There are several things that must be considered to building web application more secure and stable. We will discuss more detail in this discussion.

 

If our application supports individual users, then record how users must authenticate to the application with some of the authenticate methods, such HTTP Basic, HTTP Digest, HTTP NTLM and Form Based. Keep in mind that challenge / response mechanisms do not protect passwords with 100 percent security.

 

In the HTTP Basic method, username and password are passed in a header that is Base64 encoded of the type Base64. HTTP Digest, username and password are passed in a header that is an MD55 challenge / response format. Other authentication methods, HTTP NTLM, username and password use Windows credentials passed in a challenge / response format. In the last methods of authentication, Form Based, username and password are entered in a form with some token like cookie value, session ID and etc that indicates success. Make sure to use SSL regardless of how username and password are submitted to the application.

 

One of the best technique, if we want to improve security in our web application is protect the content of include files and others files from prying eyes. If we’re using Apache as web server, we can use the directive as an effective technique to control access on a per file basis. With this technique, we can prevent users from accessing backup files and other important files in the our web document root directly. The directive use the standard regex engine, so we can extend the directive to match any custom extensions. For example, the following syntax prevents user from downloading sensitive file or data in the specific directory such as *.old, *.bak, *.tgz.

1
2
3
4
5
 
<FileMatch "\.(old|bak|tgz)$">
	Order Deny, Allow
	Deny from All
</FileMatch>

Others technique to make our web application more secure is ensure input validation of the form based on our application correctly and work properly. We must also ensure that each variable through URL parameter like GET parameters has be tested for input validation and SQL injection attack.

 

We must also ensure identify vectors for directory attacks. Directory attacks take two forms, traversal and listing. A directory traversal attack is an attempt to access files outside of the web document root or the files within the document root that are otherwise restricted to the user.

 

If our web application provides file upload capability, we must ensure that several threats to the web application is more safety and secure. We must make sure that user can not upload an executable files and others malicious code that is used to attack our web application. We must also prevent user to upload excessively large file that either cause our web application to crash or fill up the server’s disk space.

 

In this discussion, we have describe simple step to improve security of our web application.

 

 

 

 

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
If you like this posts, please leave messages / comments.