Most developers pay lip service to security, but there aren’t so many who actually take the time to actually secure their site. We usually leave it to the sys admins. Yes, those same sys admins who like to make our lives miserable by actually locking things down, not allowing us access and enforcing rules (how dare they!). But now, our web applications have become such a conglomerate of technologies such as ASP.NET, Ajax, Flash, Silverlight, SQL, WS-* and you name it that we’ve spread out our attack surface like icing on a cake. We need to reduce that surface as close to zero as possible. It’s not up to just the sys admins anymore, it’s up to us, the developers.
It’s high time you stop ignoring your duties to secure your apps. Take a look at “The Spy Who Hacked Me” which was a presentation at TechEd 2008 by security expert Alex Smolen. Every single developer and every sys admin should be made to watch this video (and this will be you, if you attend my classes). You see, it is just that easy to hack into a site. Are you scared yet? Because you should be.
XSS (Cross Site Scripting) attacks were a highlighted focus in Alex’s screen cast, but that’s not the only problem that makes your site an easy target.
Common security exploits
- XSS Attacks
- Browser Tampering (History stealing, cookie jacking, FF extension hacking)
- FTP/Port jacking
- SQL Injection
- Cross Site Request (CSRF) Forgeries
- Form/Parameter Manipulation
- Session Hijacking
Many of these were detailed in the video and are also detailed at the SANS Institute’s list of Server Side Web Vulnerabilities. You’ll want to make sure you take precautions listed there so that you don’t have gaping holes in your code that allow for these attacks. A good start is to head over to the MSDN Security Center and start checking out the articles there.
Reduce your attack surface
- Remember, all input is evil. Validate your input data. Check every piece of data that enters every page.
- Sanitize your output. Encode your output properly using Server.HTMLEncode. You can also use AntiXSS library from Microsoft.
- Install NoScript for FireFox, however FireFox extensions can be tampered with, so while it’s a great help, be wary of what you allow to run.
- JavaScript is evil too. We need to watch client side scripts like a hawk. The J in AJAX is for JavaScript, don’t forget that.
- I know many developers are aware of input validation, but I often see no output sanitization being done, especially the extra effort of using the AntiXSS library.
- For the love of all that’s holy, stop logging into the database with the sa (SQL system admin) account or any high privilege account. The principle of least privileges is your friend.
- Take down your FTP server, or at the very least, point it away from your applications.
I can’t stress enough
Security - it’s that important. I’ve listed only a few common exploits and ways to promote a more secure web application, so this is no comprehensive list. Security needs to be part of the application requirements and design, but sadly, it’s often just an afterthought. But it’s not too late, existing apps can (and should) be reviewed regularly for possible security weaknesses, and changes can always be made to assist in promoting a more secure site.
