Philosophy of Defense
- The Web Detective's Law: All users are
suspicious; all user input is untrusted.
- Sun Tzu's Law: If you know the enemy and know
yourself, your victory will not stand in doubt.*
- Humans are infinitely a threat to security.
- Trust is not an absolute value or a binary concept.
Core Defensive Mechanisms**
The defense mechanisms employed by web applications comprise the
following core elements:
- Attack surface: The scope
of web application functionality needs to be tightly scrutinized not to
introduce unnecessary attack surface.
Handling access to the application's data and functionality to
prevent unauthorized access.
Handling input to the application's functions to prevent malformed
input from causing undesirable behavior.
Handling attackers to ensure that the application behaves appropriately
when being directly targeted, taking suitable defensive and offensive
measures to frustrate the attacker.
Managing the application itself, by enabling administrators to monitor
its activities and configure its functionality.
Reduce Attack Surface
- The attack surface of a software environment is the scope
of functionality that is available to unauthenticated users.
- The first approach to improving information security is to
the attack surface, making a piece of software harder to attack.
- The overall security provided by the mechanisms is only as
strong as the weakest link in the chain.
- Web applications need to handle three categories of users:
- ordinary authenticated users
control: Access control
consists of identification,
applications should identify its externals (e.g.,
human actors and external applications) before interacting with
Identification requirements are typically necessary prerequisites for
Authenticating a user involves establishing that the user
is in fact who he claims to be (identification and authentication).
Authentication control are typically insufficient by themselves without
the authentication functions correctly, the web application knows the
identity of the user. The next
logical step is to decide whether an user or a
page/module/program is authorized to perform a
certain action or access certain data (i.e. user
roles or user privileges).
Management: After the access
control, session management is needed to keep the access
- A web application usually receives many concurrent
requests from different users, some of whom
are authenticated and some of whom are anonymous. In order to enforce
effective access control, the application creates a session
for each user and issues the user a token
that identifies the user.
- The token
is a unique string that the application maps to the session. HTTP cookies
are the standard method for transmitting sessions and tokens.
- A huge variety of
different attacks against
applications involve submitting unexpected input, and input
validation is often considered as the
most essential defense against these attacks.
- Input validation can be implemented on both client-side and
server-side. However, client-side validation is ineffective.
- Common input validation approaches include:
- make potentially malicious data safe
- Whitelisting - accept known good
- Blacklisting - reject known bad
- Boundary validating - validate input coming in
from an untreated source into a trusted source
Another key function of the application's security is
to identify the attackers, handle the attackers, and provide
notification and evidence to the application's owners of what has taken
place. There are three main counter-attack mechanisms:
- Error handling: Errors inevitably occur, but
they need to be handled properly not to give attackers any clue about
the application being exploited.
- Maintaining audit logs: In any applications for
which security is important, key events should be logged as a matter of
- Alerting administrators: A well-designed alerting mechanism can use a combination of
factors to diagnose how a determined attack is underway and can
aggregate related events into a single alert where possible. Anomalous
events monitored by alerting mechanisms often include:
- Usage anomalies, such as large numbers of
requests being received from a single IP address or user, indicating a
- Business anomalies, such as an unusual number of
funds transfers being made to or from a single bank account.
- Malicious requests, such as those containing
known attack strings.
- Hidden data, such as that is hidden from
ordinary users but has been modified by the attackers.
- Reacting to attacks: Many
security-critical applications contain built-in mechanisms to react
defensively to users who are identified as potentially malicious.
- Administrative functions: Web
application should allow administrators to do the followings:
- Manage user accounts
- Access monitoring and audit functions
- Perform diagnostic
- Configure aspects of the application's functionality
- These administrative
commonly implemented through the same
web interface, thus making the
administrative mechanism a critical part of the
application's attack surface.
- Administrative access: Weaknesses in
the authentication mechanism
may enable an
attacker to gain administrative access.
- "The Art of War
Plus The Ancient Chinese
translated by G. Gagliardi, Clearbridge Publishing, 2003.
- "The Web Application Hacker's Handbook: Discovering and Exploiting
Security Flaws", D. Stuttard and M. Pinto, 2008, Wiley Publishing.