Paranoid attitude: What's your degree about web security concerns?

Question

Hello,

this question can be associated to a subjective question, but this is not a really one.

When you develop a website, there is several points you must know: XSS attacks, SQL injection, etc. It can be very very difficult (and take a long time to code) to secure all potential attacks.

I always try to secure my application but I don't know when to stop.

Let's take the same example: a social networking like Facebook. (Because a bank website must secure all its datas.)

I see some approaches:

1. Do not secure XSS, SQL injection... This can be really done when you trust your user: back end for a private enterprise. But do you secure this type of application?

2. Secure attacks only when user try to access non owned datas: This is for me the best approach.

3. Secure all, all, all: You secure all datas (owner or not): the user can't break its own datas and other user datas: this is very long to do and is it very useful?

4. Secure common attacks but don't secure very hard attacks (because it's too long to code comparing to the chance of being hacked).

Well, I don't know really what to do... For me, I try to do 1, 2, 4 but I don't know if it's the great choice.

Is there an acceptable risk to not secure all your datas? May I secure all datas but it takes me double time to code a thing? What's the enterprise approach between risk and "time is money"?

Thank you to share this because I think a lot of developers don't know what is the good limit.

EDIT: I see a lot of replies talking about XSS and SQL injection, but this is not the only things to take care about.

Let's take a forum. A thread can be write in a forum where we are moderator. So when you send data to client view, you add or remove the "add" button for this forum. But when a user tries to save a thread in server side, you must check that user has the right to dot it (you can't trust on client view security).

This is a very simple example, but in some of my apps, I've got a hierarchy of rights which can be very very difficult to check (need a lot of SQL queries...) but in other hand, it's really hard to find the hack (datas are pseudo encrypted in client view, there is a lot of datas to modify to make the hack runs, and the hacker needs a good understanding of my app rules to do a hack): in this case, may I check only surface security holes (really easy hack) or may I check very hard security holes (but it will decrease my performances for all users, and takes me a long time to develop).

The second question is: Can we "trust" (to not develop a hard and long code which decreases performance) on client view for very hard hack?

Here is another post talking of this sort of hack: (hibernate and collection checking) http://stackoverflow.com/questions/2161149/security-question-how-to-secure-hibernate-collections-coming-back-from-client-to

Answer 1

All applications should have some degree of security. You generally don't ask for SSL on intranet websites, but you need to take care of SQL/XSS attacks.

All data your user enters into your application should be under your responsibility. You must make sure nobody unauthorized get access to it. Sometimes, a "not critical" information can pose a very security problem, because we're all lazy people.

Some time ago, a friend used to run a games website. Users create their profiles, forum , all that stuff. Then, some day, someone found a SQL injection open door somewhere. That attacker get all user and password information.

Not a big deal, huh? I mean, who cares about a player account into a website? But most users used same user/password to MSN, Counter Strike, etc. So become a big problem very fast.

Bottom line is: all applications should have some security concern. You should take a look into STRIDE to understand your attack vectors and take best action.

Answer 2

I think it's helpful to distinguish between preventing code injection and plain data authorization.

In my opinion, all it takes is a few good coding habits to completely eliminate SQL injection. There is simply no excuse for it.

XSS injection is a little bit different - i think it can always be prevented, but it may not be trivial if your application features user generated content. By that I simply mean that it may not be as trivial to secure your app against XSS as it is compared to SQL injection. So I do not mean that it is ok to allow XSS - I still think there is no excuse for allowing it, it's just harder to prevent than SQL injection if your app revolves around user generated content.

So SQL injection and XSS are purely technical matters - the next level is authorization: how thoroughly should one shield of access to data that is no business of the current user. Here I think it really does depend on the application, and I can imagine that it makes sense to distinguish between: "user X may not see anything of user Y" vs "Not bothering user X with data of user Y would improve usability and make the application more convenient to use".

Answer 3

"Breaking data" is not something that should ever be possible, by the authorized user or anybody else. I'd file this under "validation and sanitation of user input", and it's something you must always do. If there's just the possibility of a user "breaking your data", it'll happen sooner or later, so you need to validate any and all input into your app. Escaping SQL queries goes into this category as well, which is both a security and data sanitation concern.

The general security in your app should be sound regardless. If you have a user management system, it should do its job properly. I.e. users that aren't supposed to access something should not be able to access it.

The other problem, straight up XSS attacks, has not much to do with "breaking data" but with unauthorized access to data. This is something that depends on the application, but if you're aware of how XSS attacks work and how you can avoid them, is there any reason not to?

In summary:

• SQL injection, input validation and sanitation go hand in hand and are a must anyway
• XSS attacks can be avoided by best-practices and a bit of consciousness, you shouldn't need to do much extra work for it
• anything beyond that, like "pro-active" brute force attack filters or such things, that do cause additional work, depend on the application

Simply making it a habit to stick to best practices goes a long way in making a secure app, and why wouldn't you? :)

---

You need to see web apps as the server-client architecture they are. The client can ask a question, the server gives answers. The question is just a URL, sometimes with a bit of attached POST data.

Can I have /forum/view_thread/12345/ please?
Can I POST this $data to /forum/new_thread/ please?
Can I have /forum/admin/delete_all_users/ please?

Your security can't rely only on the client not asking the right question. Never.
The server always needs to evaluate the question and answer No when necessary.

Answer 4

I think you should try and secure everything you can, the time spent doing this is nothing compared to the time needed to fix the mess done by someone exploiting a vulnerability you left somewhere.

Most things anyway are quite easy to fix:

• sql injections have really nothing to do with sql, it's just string manipulation, so if you don't feel comfortable with that, just use prepared statements with bound parameters and forget about the problem
• cross site exploit are easily negated by escaping (with htmlentities or so) every untrusted data before sending it out as output -- of course this should be coupled with extensive data filtering, but it's a good start
• credentials theft: never store data which could provide a permanent access to protected areas -- instead save a hashed version of the username in the cookies and set a time limit to the sessions: this way an attacker who might happen to steal this data will have a limited access instead of permanent
• never suppose that just because a user is logged in then he can be trusted -- apply security rules to everybody
• treat everything you get from outside as potentially dangerous: even a trusted site you get data from might be compromised, and you don't want to fall down too -- even your own database could be compromised (especially if you're on a shared environment) so don't trust its data either

Of course there is more, like session hijacking attacks, but those are the first things you should look at.

EDIT regarding your edit:

I'm not sure I fully understand your examples, especially what you mean by "trust on client security". Of course all pages with restricted access must start with a check to see if the user has rights to see the content and optionally if he (or she) has the correct level of privilege: there can be some actions available to all users, and some others only available to a more restricted group (like moderators in a forum). All this controls have to be done on the server side, because you can never trust what the client sends you, being it data through GET, POST and even COOKIES. None of these are optional.

Answer 5

I personally prefer to secure everything at all times. It might be a paranoid approach, but when I see tons of websites throughout internet, that are vulnerable to SQL injection or even much simpler attacks, and they are not bothered to fix it until someone "hacks" them and steal their precious data, it makes me pretty much afraid. I don't really want to be the one responsible for leaked passwords or other user info.

Just ask someone with hacking experiences to check your application / website. It should give you a fair idea what's wrong and what should be updated.

You want to have strong API side ACL. Some days ago I saw a problem where a guy had secured every single UI, but the website was vulnerable through AJAX, just because his API (where he was sending requests) just trusted every single request to be checked. I could basically pull whole database through this bug.