As the information technology industry is growing at a rate never seen before there are ever increasing attacks being faced each hour.
Wikipedia explains web security efficiently , it is a branch of Information security that deals specifically with security of websites,web applications and web services. At a higher lever,web application security draws on the principles of application security but applies them specifically to Internet and Web systems.
Usually,mistakes of site administrator are used by hackers to gain access for their malicious purposes.
So,here i compile a list of 3 most 'popular' mistakes people generally do and how to prevent them from happening because prevention is always better than cure.
1. Injection flaw
Injection flaws generally occur by not filtering untrusted data and passing it to server or browser leading to hijacking of client's browser.
Anything you receives from untrusted sources must be filtered, preferably according to a white list.
Prevention : Each and every input must be filtered before processing,not a single input should slip by.
filtering every input is not as easy as it sounds so you should go with framework’s filtering functions as they are proven to work and are completely scrutinized.
2. Cross Site Scripting (XSS)
This is like a more special case of injection as in this type of attack,attacker provides java script tags on input to the web application.
When this input is returned back to user , user's browser will execute it. Now this is a much sinister attack for example it can provide your cookies to the attacker.
Prevention : This can be prevented by not returning HTML tags to client. This has an added benefit of prevention against HTML injection too.
3. Insecure Direct Object References
In this the attacker can provide this reference and, if authorization is either not enforced or is broken, the attacker can access or do things that he shouldn't be allowed to.
Attacker can get access to various files and database just by formatting a line of code/URL and providing direct reference to what he want to access/obtain.
Prevention : User authorization must be performed properly and choices must be white list. Generally,the whole problem can be avoided by storing data internally , Session variables in most frameworks are well suited for this.
EmoticonEmoticon