What is your must have defence methods to common web attacks like XSS, Sql Injection, Denial of Service, etc. ?
Edit : I collected your responses under descriptions from Wikipedia. And I add some extra questions to have a complete reference.
Sql Injection
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
- Do not trust user input and validate it as early as possible.
- Don't build SQL from raw user input - use parameters instead.
Cross Site Scripting (XSS)
Cross-site scripting is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
- Never output or execute user-submitted content verbatim.
- HTML-encode all output.
A denial-of-service attack
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
I know it seems impossible to avoid denial-of-service attacks programmatically, but what you think ?
Brute Force Attacks
In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out.
- Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.
- Add a delay when the password typed in is wrong.
Some extra questions :
What do you think about web robots that try to post inputs according to your content ? For example SO is using an image validation.
What do you think about javascript eval function ?
Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it.
(NOTE : Directory listing is disabled and I host this files.)
Thanks for the replies !