The University of Arizona
  Dashboard > Web Application Best Practices > Web Application Best Practices > Security
Web Application Best Practices Log In   View a printable version of the current page.
Security

Added by Ed Murphy , last edited by Ed Murphy on May 12, 2008  (view change)
Labels: 
(None)

Web Application Security

A security conscious mindset assumes that all data received in input is tainted and this data must be filtered before use and escaped when leaving the application.
Security must be built in from initial specification to testing to maintenance.

Hackers will exploit vulnerabilities to execute their code, inject code or steal your data.  You must develop a security mindset:

  • Filter Input
  • Escape Output

Validate Input
One of the key concepts to accept is that user input is unreliable and not to be trusted.  It could be...

  • Partially lost in transmission between server and client
  • Corrupted by some in-between process
  • Modified by the user in an unexpected manner
  • Intentionally attempted to gain unauthorized access or to crash the application

All of the above are reasons why it is absolutely essential to validate any user input before using it.

Web Application Security Vocabulary

  • Cross Site Scripting (XSS) - XSS attacks can occur wherever an untrusted user has the ability to publish content to a trusted website. Typically, a malicious user will craft a client-side script (javascript, flash, etc) which when parsed by a web browser performs some activity. For example, sending all user cookies to a specified email address.
  • SQL Injection - SQL = Structured Query Language. SQL is the language used to communicate with relational database systems, such as Oracle, MySQL and MS SQL Server. SQL Injection is the ability to inject commands into the database system through an existing web application.
  • Session Fixation - Session fixation attacks allow a malicious user to hijack a valid user session. This attack is achieved by exploiting the way your web application manages the session ID. The session fixation attack is a subclass of session hijacking attacks.

OWASP
OWASP is the free and open application security community.  There are several great sources of application security information but OWASP is clearly one of the best.  OWASPis a community of security experts from across the globe who contribute to software security best practices.  You can learn about software security, download tools to test the security of your software and find detailed information on common software vulnerabilities. 

A great place to start your understanding of web application security is the OWASP Guide to Building Secure Web Applications.

Topics in the OWASP guide include:

University of Arizona IT Security
Powered by Atlassian Confluence 2.7.2, the Enterprise Wiki. Bug/feature request - Atlassian news - Contact administrators