Good Guide For Web App Security?

Question

Hello! I am pretty good on making web applications and I know how to transfer data to and from client/server, etc. I need some help though learning how to make the data exchanges more secure. That is the reason why I feel kind of scared to publish any web app I make. I wanted to know what are some good guides to help you understand and learn how to secure data transfer with your web application? Things like better authentication for example and making better logins.

You can post any suggestion, but just for your information, I mainly code my web apps with Javascript and PHP. Also, I transfer my data using JSON or XML.

Thanks a lot

Answer 1

OWASP has a great selection of guides, example projects and test applications on the subject web application security.

My personal favourite is the backend security project, which I used to prove to my manager that our internal systems needed a lot of attention, and just because backend security wasn't a user-perceived benefit, didn't mean it could be ignored.

This project in particular gives some good advice for data validation, error handling, cryptography etc.

Answer 2

I think this book is a good starting point if you want to know more about security in general in a php-application. http://phpsecurity.org/

Optionally you could consider adding an IDS to your web application. I can recommend PHPIDS

Answer 3

Google's Doctype is a (very badly named) "open encyclopedia and reference library for developers of web applications" which has a good introductory section on Web Security that focuses on XSS. Given the generic title "Web Security", it could benefit from covering more issues, such as CSRF, but it's fairly comprehensive in it's coverage of XSS attack vectors. Did you know that IE can be tricked into executing JavaScript in what should be a user uploaded image?

Answer 4

Javascript:

This might be a very interesting video for you: http://www.youtube.com/watch?v=eL5o4PFuxTY

Don't go crazy on logins and passwords. Be professionally lazy - know what you are doing! JSON is great for data transfer, XML has to much overhead in my opinion.

Use JSON.parse never use eval.

PHP

Always use mysql_real_escape_string or mysqli_escape_string. Use htmlspecialchars before displaying user input or use strip_tags before saving user input. Never trust anything coming from the user/browser.

Answer 5

There is a great post here on many aspects of creating sites, including security. This is an extract from the top answer which may help.

• It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom
  • Know about SQL injection and how to prevent it
  • Never trust user input (cookies are user input too!)
  • Encrypt Hash and salt passwords rather than storing them plain-text.
  • Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.
  • Know the rules for processing credit cards. (See this question as well)
  • Use SSL/HTTPS for login and any pages where sensitive data is entered (like credit card info)
  • How to resist session hijacking
  • Avoid cross site scripting (XSS)
  • Avoid cross site request forgeries (XSRF)
  • Keep your system(s) up to date with the latest patches
  • Make sure your database connection information is secured.
  • Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.
  • Read The Google Browser Security Handbook
  • Read The Web Application Hackers Handbook