views:

227

answers:

4

I just wrote one of my first web applications (Linux, Apache, MySQL, Django), and would like to launch it publicly. It's a webform-based task disguised as a game; I intend to eventually put it on Amazon Mechanical Turk and give small bonuses to people who achieve certain scores.

Even though this app does not have a tremendously high security risk, I need to safeguard it against manipulation and reverse engineering. However, I have little formal training in testing/security. Given that there are tangible prizes to be won, I know people will have an incentive to cheat, whether by altering POST data, pressing "back" and re-submitting data until they win, etc. So far, I have been dealing with these issues on an ad-hoc basis by putting in security tests as I think of possible exploits. However, I realize there are probably lots of forms of manipulation that I haven't thought of yet.

Can anybody recommend some reading materials from which I can learn how to protect my website against manipulation and reverse engineering?

+2  A: 

SQL Injection

Prevent malicious users from altering SQL queries via URL query strings.

DoS Attacks

Prevent users from the same IP address from accessing your site an excessive number of times in a small space of time.

Password Strength

When allowing users to create their own passwords, show a password strength indicator which encourages users to enter stronger passwords.

Captcha

Stop non-human users from submitting to forms by presenting a captcha image. You may also want to use this if password authentication is failed multiple times, to prevent robots from guessing passwords.

nbolton
+2  A: 

A very good place to read up is OWASP; see http://www.owasp.org/index.php/Main_Page. They have extensive documentation regarding website security.

Edit: For a quick overview, check the "Top Ten."

Jeremy CD
+1  A: 

One book I might recommend is "Security Engineering" by Ross Anderson. It's fairly detailed and it gives a good overview of many different topics relating to computer security, although not all of it is relevant for securing a website.

David Zaslavsky
+2  A: 

The Google Browser Security Handbook has a lot of information about potential vulnerabilities in the web architecture, in particular the details that are affected by the behavior of web browsers (as opposed to server based vulnerabilities, like SQL injection attacks and the like). It is a good starting point for learning about how browsers work in ways that impact security, like how they handle cookies, cross domain requests, images and MIME types, etc.

Brian Campbell