Web Application Break-In


This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."

Download it now to read this article plus other related content.

Holistic Protection
To effectively combat Web application attacks, you need a holistic approach; tackling one vulnerability will often strengthen your defenses against another. At the core of your application security strategy should be a policy that enforces secure coding practices, ensuring that vulnerability detection and assessments are performed during any application development or deployment.

Start by identifying the places where data enters or exits the application, and ensure that validation occurs for every part of the HTTP request before letting it anywhere near your scripts, data access routines and SQL queries. Next, you need to review the trust levels assigned to application entry and exit points and define the privileges that external users and processes are granted to access the system. A useful exercise is to create a data flow diagram that tracks how data flows through the application. If there is system or application failure, make sure your application doesn't return specific details about the error as this can provide useful information to an attacker.

The Web application itself needs to run under the least amount of privileges necessary for it to function correctly. Certainly, never use the default account, such as SQL Server's "sa" account. Ensure that any connection to a database or other resource is made using a least-privileged account, and you must lock down your database and Web servers. Remove non-required features such

    Requires Free Membership to View

as example databases and test pages; disable unneeded stored procedures; and monitor and back up your database server in the same way as your Web server.

This process should involve running a vulnerability scanner on a regular basis. Many scanners are now automated, and many can scan for XSS vulnerabilities and Google hacks. SANS has a list of tools and services that find and fix the top 20 vulnerabilities at www.sans.org/top20/ 2005/tools.pdf.

This was first published in August 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: