Dr. Drew Hwang, CIS, Cal Poly Pomona
Secure Web Development
Alert & Audit
Regex Reference (.NET)
Regex Reference (PHP)
Philosophy of Defense
The Web Detective's Law:
All users are suspicious; all user input is untrusted.
Sun Tzu's Law:
If you know the enemy and know yourself, your victory will not stand in doubt.*
Humans are infinitely a threat to security.
Trust is not an absolute value or a binary concept.
Core Defensive Mechanisms**
The defense mechanisms employed by web applications comprise the following core elements:
: The scope of web application functionality needs to be tightly scrutinized not to introduce unnecessary attack surface.
: Handling access to the application's data and functionality to prevent unauthorized access.
: Handling input to the application's functions to prevent malformed input from causing undesirable behavior.
: Handling attackers to ensure that the application behaves appropriately when being directly targeted, taking suitable defensive and offensive measures to frustrate the attacker.
: Managing the application itself, by enabling administrators to monitor its activities and configure its functionality.
Reduce Attack Surface
The attack surface of a software environment is the scope of functionality that is available to unauthenticated users.
The first approach to improving information security is to reduce the attack surface, making a piece of software harder to attack.
The overall security provided by the mechanisms is only as strong as the weakest link in the chain.
Web applications need to handle three categories of users:
ordinary authenticated users
: Access control consists of identification, authentication, and authorization.
: Web applications should identify its externals (e.g., human actors and external applications) before interacting with them. Identification requirements are typically necessary prerequisites for authentication requirements.
: Authenticating a user involves establishing that the user is in fact who he claims to be (identification and authentication). Authentication control are typically insufficient by themselves without authorization control.
: When the authentication functions correctly, the web application knows the identity of the user. The next logical step is to decide whether an user or a page/module/program is authorized to perform a certain action or access certain data (i.e.
user roles or
After the access control, session management is needed to keep the access thereafter secure.
A web application usually receives many
from different users, some of whom are authenticated and some of whom are anonymous. In order to enforce effective access control, the application creates a
for each user and issues the user a
that identifies the user.
is a unique string that the application maps to the session. HTTP
are the standard method for transmitting sessions and tokens.
A huge variety of different attacks against web applications involve submitting unexpected input, and
is often considered as the most essential defense against these attacks.
Input validation can be implemented on both client-side and server-side. However, client-side validation is ineffective.
Common input validation approaches include:
- make potentially malicious data safe
- accept known good
- reject known bad
- validate input coming in from an untreated source into a trusted source
Another key function of the application's security is to identify the attackers, handle the attackers, and provide appropriate notification and evidence to the application's owners of what has taken place. There are three main counter-attack mechanisms:
Errors inevitably occur, but they need to be handled properly not to give attackers any clue about the application being exploited.
Maintaining audit logs
: In any applications for which security is important, key events should be logged as a matter of course.
: A well-designed alerting mechanism can use a combination of factors to diagnose how a determined attack is underway and can aggregate related events into a single alert where possible. Anomalous events monitored by alerting mechanisms often include:
, such as large numbers of requests being received from a single IP address or user, indicating a scripted attack.
, such as an unusual number of funds transfers being made to or from a single bank account.
such as those containing known attack strings.
, such as that is hidden from ordinary users but has been modified by the attackers.
Reacting to attacks:
Many security-critical applications contain built-in mechanisms to react defensively to users who are identified as potentially malicious.
: Web application should allow administrators to do the followings:
Manage user accounts and roles
Access monitoring and audit functions
Perform diagnostic tasks
Configure aspects of the application's functionality
These administrative functions are commonly implemented through the same web interface, thus making the administrative mechanism a critical part of the application's attack surface.
: Weaknesses in the authentication mechanism may enable an attacker to gain administrative access.
"The Art of War Plus The Ancient Chinese Revealed", translated by G. Gagliardi, Clearbridge Publishing, 2003.
"The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws", D. Stuttard and M. Pinto, 2008, Wiley Publishing.