Improving Web Application Security: Threats and - CGISecurity

More documents

Recommendations

Info

10 Part I: Introduction to Threats and CountermeasuresTable 1.3: Application Vulnerability CategoriesCategoryInput ValidationDescriptionHow do you know that the input that your application receives is valid andsafe? Input validation refers to how your application filters, scrubs, orrejects input before additional processing.AuthenticationAuthorizationConfigurationManagementSensitive DataSession ManagementCryptographyParameter ManipulationException ManagementAuditing and Logging“Who are you?” Authentication is the process where an entity proves theidentity of another entity, typically through credentials, such as a username and password.“What can you do?” Authorization is how your application provides accesscontrols for resources and operations.Who does your application run as? Which databases does it connect to?How is your application administered? How are these settings secured?Configuration management refers to how your application handles theseoperational issues.Sensitive data refers to how your application handles any data that mustbe protected either in memory, over the wire, or in persistent stores.A session refers to a series of related interactions between a user andyour Web application. Session management refers to how your applicationhandles and protects these interactions.How are you keeping secrets, secret (confidentiality)? How are youtamperproofing your data or libraries (integrity)? How are you providingseeds for random values that must be cryptographically strong?Cryptography refers to how your application enforces confidentiality andintegrity.Form fields, query string arguments, and cookie values are frequentlyused as parameters for your application. Parameter manipulation refersto both how your application safeguards tampering of these values andhow your application processes input parameters.When a method call in your application fails, what does your applicationdo? How much do you reveal? Do you return friendly error information toend users? Do you pass valuable exception information back to thecaller? Does your application fail gracefully?Who did what and when? Auditing and logging refer to how yourapplication records security-related events.
Chapter 1: Web Application Security Fundamentals 11Security PrinciplesRecommendations used throughout this guide are based on security principles thathave proven themselves over time. Security, like many aspects of softwareengineering, lends itself to a principle-based approach, where core principles can beapplied regardless of implementation technology or application scenario. The majorsecurity principles used throughout this guide are summarized in Table 1.4.Table 1.4: Summary of Core Security PrinciplesPrincipleCompartmentalizeConceptsReduce the surface area of attack. Ask yourself how you will contain aproblem. If an attacker takes over your application, what resources can heor she access? Can an attacker access network resources? How are yourestricting potential damage? Firewalls, least privileged accounts, and leastprivileged code are examples of compartmentalizing.Use least privilegeApply defense in depthDo not trust user inputCheck at the gateFail securelySecure the weakestlinkCreate secure defaultsReduce your attacksurfaceBy running processes using accounts with minimal privileges and accessrights, you significantly reduce the capabilities of an attacker if the attackermanages to compromise security and run code.Use multiple gatekeepers to keep attackers at bay. Defense in depthmeans you do not rely on a single layer of security, or you consider that oneof your layers may be bypassed or compromised.Your application’s user input is the attacker’s primary weapon whentargeting your application. Assume all input is malicious until provenotherwise, and apply a defense in depth strategy to input validation, takingparticular precautions to make sure that input is validated whenever a trustboundary in your application is crossed.Authenticate and authorize callers early — at the first gate.If an application fails, do not leave sensitive data accessible. Returnfriendly errors to end users that do not expose internal system details. Donot include details that may help an attacker exploit vulnerabilities in yourapplication.Is there a vulnerability at the network layer that an attacker can exploit?What about the host? Is your application secure? Any weak link in the chainis an opportunity for breached security.Is the default account set up with least privilege? Is the default accountdisabled by default and then explicitly enabled when required? Does theconfiguration use a password in plaintext? When an error occurs, doessensitive information leak back to the client to be used potentially againstthe system?If you do not use it, remove it or disable it. Reduce the surface area ofattack by disabling or removing unused services, protocols, andfunctionality. Does your server need all those services and ports? Doesyour application need all those features?
Page 1:
Improving WebApplication SecurityTh
Page 4 and 5:
Information in this document, inclu
Page 6 and 7:
viImproving Web Application Securit
Page 8 and 9:
viiiImproving Web Application Secur
Page 10 and 11:
xImproving Web Application Security
Page 12 and 13:
xiiImproving Web Application Securi
Page 14 and 15:
xivImproving Web Application Securi
Page 16 and 17:
xviImproving Web Application Securi
Page 18 and 19:
xviiiImproving Web Application Secu
Page 20 and 21:
xxImproving Web Application Securit
Page 22 and 23:
xxiiImproving Web Application Secur
Page 27 and 28:
Contents xxvii.NET Remoting Securit
Page 29 and 30:
Contents xxixStaying Secure (contin
Page 31 and 32:
Contents xxxiASP.NET Architecture o
Page 33 and 34:
Contents xxxiiiSummary ............
Page 35 and 36:
Contents xxxvIndex of Checklists 68
Page 37 and 38:
Contents xxxviiChecklistSecuring Da
Page 39 and 40:
Contents xxxixHow ToIndex 743How To
Page 41 and 42:
Contents xliRestricting Server-to-S
Page 43 and 44: ForewordsForeword by Mark CurpheyWh
Page 45 and 46: Forewords xlvForeword by Joel Scamb
Page 47: Forewords xlviiFinally, techniques
Page 50 and 51: lImproving Web Application Security
Page 52 and 53: liiImproving Web Application Securi
Page 54 and 55: livImproving Web Application Securi
Page 56 and 57: lviImproving Web Application Securi
Page 58 and 59: lviiiImproving Web Application Secu
Page 60 and 61: lxImproving Web Application Securit
Page 62 and 63: lxiiImproving Web Application Secur
Page 64 and 65: lxivImproving Web Application Secur
Page 66 and 67: lxviImproving Web Application Secur
Page 68 and 69: lxviiiImproving Web Application Sec
Page 70 and 71: lxxImproving Web Application Securi
Page 72 and 73: lxxiiImproving Web Application Secu
Page 75 and 76: Fast Track — How To Implementthe
Page 77 and 78: Fast Track — How To Implement the
Page 85: Part IIntroduction to Threats andCo
Page 88 and 89: 4 Part I: Introduction to Threats a
Page 96 and 97: 12 Part I: Introduction to Threats
Page 129 and 130: 3Threat ModelingIn This Chapter●
Page 131 and 132: Chapter 3: Threat Modeling 47Threat
Page 133 and 134: Chapter 3: Threat Modeling 49Archit
Page 135 and 136: Chapter 3: Threat Modeling 51Figure
Page 137 and 138: Chapter 3: Threat Modeling 53Identi
Page 139 and 140: Chapter 3: Threat Modeling 55Docume
Page 141 and 142: Chapter 3: Threat Modeling 57●●
Page 143 and 144: Chapter 3: Threat Modeling 59●●
Page 145 and 146:
Chapter 3: Threat Modeling 61Note I
Page 147 and 148:
Chapter 3: Threat Modeling 63Risk =
Page 149 and 150:
Chapter 3: Threat Modeling 65Table
Page 151:
Part IIDesigning SecureWeb Applicat
Page 154 and 155:
70 Part II: Designing Secure Web Ap
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
100 Part II:Designing Secure Web Ap
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 211:
Part IIIBuilding Secure WebApplicat
Page 214 and 215:
130 Part III: Building Secure Web A
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 265 and 266:
8Code Access Security in PracticeIn
Page 267 and 268:
Chapter 8: Code Access Security in
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 332 and 333:
Page 334 and 335:
Page 336 and 337:
Page 338 and 339:
Page 340 and 341:
Page 342 and 343:
Page 344 and 345:
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
Page 360 and 361:
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 383 and 384:
11Building Secure ServicedComponent
Page 385 and 386:
Chapter 11: Building Secure Service
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
Page 399 and 400:
Page 401:
Page 404 and 405:
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
Page 418 and 419:
Page 420 and 421:
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 448 and 449:
Page 450 and 451:
Page 452 and 453:
Page 454 and 455:
Page 456 and 457:
Page 458 and 459:
Page 460 and 461:
Page 462 and 463:
Page 464 and 465:
Page 466 and 467:
Page 468 and 469:
Page 470 and 471:
Page 472 and 473:
Page 474 and 475:
Page 476 and 477:
Page 478 and 479:
Page 480 and 481:
Page 482 and 483:
Page 485:
Part IVSecuring Your Network,Host,
Page 488 and 489:
404 Part IV: Securing Your Network,
Page 490 and 491:
Page 492 and 493:
Page 494 and 495:
Page 496 and 497:
Page 498 and 499:
Page 500 and 501:
Page 502 and 503:
Page 504 and 505:
Page 506 and 507:
Page 508 and 509:
Page 510 and 511:
Page 512 and 513:
Page 514 and 515:
Page 516 and 517:
Page 518 and 519:
Page 520 and 521:
Page 522 and 523:
Page 524 and 525:
Page 526 and 527:
Page 528 and 529:
Page 530 and 531:
Page 532 and 533:
Page 534 and 535:
Page 536 and 537:
Page 538 and 539:
Page 540 and 541:
Page 542 and 543:
Page 544 and 545:
Page 546 and 547:
Page 548 and 549:
Page 550 and 551:
Page 552 and 553:
Page 554 and 555:
Page 556 and 557:
Page 558 and 559:
Page 560 and 561:
Page 562 and 563:
Page 564 and 565:
Page 566 and 567:
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 576 and 577:
Page 578 and 579:
Page 580 and 581:
Page 582 and 583:
Page 585 and 586:
18Securing Your Database ServerIn T
Page 587 and 588:
Chapter 18: Securing Your Database
Page 589 and 590:
Page 591 and 592:
Page 593 and 594:
Page 595 and 596:
Page 597 and 598:
Page 599 and 600:
Page 601 and 602:
Page 603 and 604:
Page 605 and 606:
Page 607 and 608:
Page 609 and 610:
Page 611 and 612:
Page 613 and 614:
Page 615 and 616:
Page 617 and 618:
Page 619 and 620:
Page 621 and 622:
Page 623 and 624:
Page 625:
Page 628 and 629:
Page 630 and 631:
Page 632 and 633:
Page 634 and 635:
Page 636 and 637:
Page 638 and 639:
Page 640 and 641:
Page 642 and 643:
Page 644 and 645:
Page 646 and 647:
Page 648 and 649:
Page 650 and 651:
Page 652 and 653:
Page 654 and 655:
Page 656 and 657:
Page 658 and 659:
Page 660 and 661:
Page 662 and 663:
Page 664 and 665:
Page 666 and 667:
Page 668 and 669:
Page 670 and 671:
Page 672 and 673:
Page 674 and 675:
Page 676 and 677:
Page 678 and 679:
Page 680 and 681:
Page 682 and 683:
Page 684 and 685:
Page 686 and 687:
Page 689 and 690:
21Code ReviewIn This Chapter●●
Page 691 and 692:
Chapter 21: Code Review 607For exam
Page 693 and 694:
Chapter 21: Code Review 609Identify
Page 695 and 696:
Chapter 21: Code Review 611Check to
Page 697 and 698:
Chapter 21: Code Review 613Check th
Page 699 and 700:
Chapter 21: Code Review 615Buffer O
Page 701 and 702:
Chapter 21: Code Review 617Is Your
Page 703 and 704:
Chapter 21: Code Review 619●Does
Page 705 and 706:
Chapter 21: Code Review 621Do You S
Page 707 and 708:
Chapter 21: Code Review 623The foll
Page 709 and 710:
Chapter 21: Code Review 625●Do yo
Page 711 and 712:
Chapter 21: Code Review 627●Do yo
Page 713 and 714:
Chapter 21: Code Review 629●●Is
Page 715 and 716:
Chapter 21: Code Review 631Do You V
Page 717 and 718:
Chapter 21: Code Review 633Do You S
Page 719 and 720:
Chapter 21: Code Review 635Do You E
Page 721 and 722:
Chapter 21: Code Review 637Check th
Page 723 and 724:
Chapter 21: Code Review 639Do You P
Page 725 and 726:
Chapter 21: Code Review 641Search f
Page 727 and 728:
22Deployment ReviewIn This Chapter
Page 729 and 730:
Chapter 22: Deployment Review 645Pa
Page 731 and 732:
Chapter 22: Deployment Review 647
Page 733 and 734:
Page 735 and 736:
Chapter 22: Deployment Review 651Re
Page 737 and 738:
Chapter 22: Deployment Review 653Fo
Page 739 and 740:
Page 741 and 742:
Chapter 22: Deployment Review 657Ma
Page 743 and 744:
Page 745 and 746:
Chapter 22: Deployment Review 661Th
Page 747 and 748:
Chapter 22: Deployment Review 663Th
Page 749 and 750:
Chapter 22: Deployment Review 665Ac
Page 751 and 752:
Page 753 and 754:
Chapter 22: Deployment Review 669Ho
Page 755 and 756:
Page 757 and 758:
Chapter 22: Deployment Review 673Fi
Page 759 and 760:
Chapter 22: Deployment Review 675Au
Page 761 and 762:
Chapter 22: Deployment Review 677SQ
Page 763 and 764:
Page 765 and 766:
Related Security ResourcesRelated M
Page 767 and 768:
Related Security Resources 683Commu
Page 769:
Related Security Resources 685Commo
Page 772 and 773:
688 Improving Web Application Secur
Page 774 and 775:
Page 776 and 777:
Page 778 and 779:
Page 780 and 781:
Page 782 and 783:
Page 784 and 785:
Page 786 and 787:
Page 788 and 789:
Page 790 and 791:
Page 793 and 794:
Checklist:Securing Enterprise Servi
Page 795:
Checklist: Securing Enterprise Serv
Page 798 and 799:
Page 801 and 802:
Checklist:Securing Data AccessHow t
Page 803:
Checklist: Securing Data Access 719
Page 806 and 807:
Page 808 and 809:
Page 810 and 811:
Page 812 and 813:
Page 814 and 815:
Page 816 and 817:
Page 819 and 820:
Checklist:Security Review for Manag
Page 821 and 822:
Checklist: Security Review for Mana
Page 823 and 824:
Page 825:
Page 829 and 830:
How To:Implement Patch ManagementAp
Page 831 and 832:
How To: Implement Patch Management
Page 833 and 834:
Page 835 and 836:
Page 837 and 838:
Page 839 and 840:
How To:Harden the TCP/IP StackAppli
Page 841 and 842:
How To: Harden the TCP/IP Stack 757
Page 843 and 844:
Page 845 and 846:
Page 847:
Page 850 and 851:
Page 852 and 853:
Page 854 and 855:
Page 856 and 857:
Page 858 and 859:
Page 861 and 862:
How To:Use IPSec for Filtering Port
Page 863 and 864:
How To: Use IPSec for Filtering Por
Page 865 and 866:
Page 867 and 868:
Page 869 and 870:
Page 871 and 872:
How To:Use the Microsoft BaselineSe
Page 873 and 874:
How To: Use the Microsoft Baseline
Page 875 and 876:
Page 877:
Page 880 and 881:
Page 882 and 883:
Page 885 and 886:
How To:Use URLScanApplies ToSummary
Page 887 and 888:
How To: Use URLScan 803Throttling R
Page 889 and 890:
How To:Create a CustomEncryption Pe
Page 891 and 892:
How To: Create a Custom Encryption
Page 893 and 894:
Page 895 and 896:
Page 897 and 898:
Page 899 and 900:
Page 901 and 902:
Page 903 and 904:
Page 905 and 906:
Page 907 and 908:
How To:Use Code Access Security Pol
Page 909 and 910:
How To: Use Code Access Security Po
Page 911 and 912:
Page 913 and 914:
Page 915:
Page 918 and 919:
patterns & practicesProven practice
show all

Improving Web Application Security: Threats and - CGISecurity

Create successful ePaper yourself

Delete template?

Save as template?