What are the important Validations/Processing which can be done during the http request/response to protect web application from vulnerablities like cross site scripting cross site request forgery and any other security attacks?
+2
A:
There are tons of books on the topic which essentially boil down to garbage in, garbage out. Things to consider:
- Validate all input for malicious markup
- Escape strings before they go into a processing system like an SQL server
- Don't allow any vector for server or client side code injection
eval()overuse - Bind sessions to IP addresses to catch session hijacking
- Use SSL if required and ensure users are aware of the risks
- Limit attempts on passwords, and don't indirectly expose information ie "We have your username, but the password is incorrect"
- Use signed cookies
- Only include source from trusted and verifiable third parties
- Use "I am human" verification such as a Captcha
- Be aware of spiders crawling through your site
The list goes on and on, and for every new technology you get more things to consider. Bottom line, have a security attitude that looks at things like an attacker would. How would you crack your own site? If you can't answer that, you need help from somone who can or read some books.
Aiden Bell
2010-01-27 15:04:29
Thank you Aiden Bell for your comments.Actually We are planning to write a single function for servicing any web request throughout our web application .So we are trying to find out all possible security vulnerablities and try to stop them in that function.We have already taken care of SQL injection attacks ,Cross site scripting attacks.I just wanted to know what are other most important types of security attacks which can be taken care of in that function
2010-01-27 15:22:54