Defensive Mechanism

Philosophy of Defense

  • The Web Detective's Law: All users are suspicious; all user input is untrusted.
  • Sun Tzu's Law: If you know the enemy and know yourself, your victory will not stand in doubt.*
  • Humans are infinitely a threat to security.
  • Trust is not an absolute value or a binary concept.

Core Defensive Mechanisms**

The defense mechanisms employed by web applications comprise the following core elements:
  • Attack surface: The scope of web application functionality needs to be tightly scrutinized not to introduce unnecessary attack surface.
  • Access: Handling access to the application's data and functionality to prevent unauthorized access.
  • Input: Handling input to the application's functions to prevent malformed input from causing undesirable behavior.
  • Attackers: Handling attackers to ensure that the application behaves appropriately when being directly targeted, taking suitable defensive and offensive measures to frustrate the attacker.
  • Application: Managing the application itself, by enabling administrators to monitor its activities and configure its functionality.

Reduce Attack Surface

  • The attack surface of a software environment is the scope of functionality that is available to unauthenticated users.
  • The first approach to improving information security is to reduce the attack surface, making a piece of software harder to attack.
  • The overall security provided by the mechanisms is only as strong as the weakest link in the chain.

Handling Access

  • Web applications need to handle three categories of users:
    • anonymous users
    • ordinary authenticated users
    • administrative users
  • Access control: Access control consists of identification, authentication, and authorization.
    • Identification: Web applications should identify its externals (e.g., human actors and external applications) before interacting with them.  Identification requirements are typically necessary prerequisites for authentication requirements.
    • Authentication: Authenticating a user involves establishing that the user is in fact who he claims to be (identification and authentication). Authentication control are typically insufficient by themselves without authorization control.
    • Authorization: When the authentication functions correctly, the web application knows the identity of the user. The next logical step is to decide whether  an user or a page/module/program is authorized to perform a certain action or access certain data (i.e. user roles or user privileges).
  • Session Management: After the access control, session management is needed to keep the access thereafter secure.
    • A web application usually receives many concurrent requests from different users, some of whom are authenticated and some of whom are anonymous. In order to enforce effective access control, the application creates a session for each user and issues the user a token that identifies the user.
    • The token is a unique string that the application maps to the session. HTTP cookies are the standard method for transmitting sessions and tokens.

Handling Input

  • A huge variety of different attacks against web applications involve submitting unexpected input, and input validation is often considered as the most essential defense against these attacks.
  • Input validation can be implemented on both client-side and server-side. However, client-side validation is ineffective.
  • Common input validation approaches include:
    • Sanitizing - make potentially malicious data safe
    • Whitelisting - accept known good
    • Blacklisting - reject known bad
    • Boundary validating - validate input coming in from an untreated source into a trusted source

Handling Attackers

Another key function of the application's security is to identify the attackers, handle the attackers, and provide appropriate notification and evidence to the application's owners of what has taken place.  There are three main counter-attack mechanisms:
  • Error handling: Errors inevitably occur, but they need to be handled properly not to give attackers any clue about the application being exploited.
  • Maintaining audit logs: In any applications for which security is important, key events should be logged as a matter of course. 
  • Alerting administrators: A well-designed alerting mechanism can use a combination of factors to diagnose how a determined attack is underway and can aggregate related events into a single alert where possible. Anomalous events monitored by alerting mechanisms often include:
    • Usage anomalies, such as large numbers of requests being received from a single IP address or user, indicating a scripted attack.
    • Business anomalies, such as an unusual number of funds transfers being made to or from a single bank account.
    • Malicious requests, such as those containing known attack strings.
    • Hidden data, such as that is hidden from ordinary users but has been modified by the attackers.
  • Reacting to attacks: Many security-critical applications contain built-in mechanisms to react defensively to users who are identified as potentially malicious.


    • Administrative functions: Web application should allow administrators to do the followings:
      • Manage user accounts and roles
      • Access monitoring and audit functions
      • Perform diagnostic tasks
      • Configure aspects of the application's functionality
    • These administrative functions are commonly implemented through the same web interface, thus making the administrative mechanism a critical part of the application's attack surface.
    • Administrative access: Weaknesses in the authentication mechanism may enable an attacker to gain administrative access.


    • "The Art of War Plus The Ancient Chinese Revealed", translated by G. Gagliardi, Clearbridge Publishing, 2003.
    • "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws", D. Stuttard and M. Pinto, 2008, Wiley Publishing.