• Table of Contents
• Next Chapter

Chapter 18

Security

Until now we’ve dedicated the bulk of our time to the selection, design and implementation of web app features. The development process must also consider non-functional aspects of the application, the most important of which are security and performance.

Feature development is a relatively short-term investment that is iterated to retain customers or capture additional market share. Non-functional development is a long-term investment to enable growth, protect the business and reputation, and alleviate legal issues. It too requires frequent attention and is not simply a checklist to mark off once at the start of a project.

*I should more accurately call this cracking, but I’ll stick with the term hacking.

A 2010 survey¹ found that one in six New York teenagers and one in four UK teenagers admitted to hacking*. There is surely no scenario in which a teenager would ever lie, but even if you take these numbers with a pinch of salt, there’s no escaping the fact that millions of devious and bored hacker-wannabes have access to massive amounts of inexpensive computer power and sophisticated software.

Anatomy of a web app attack

The typical web-based attack follows three steps: discovery, exploitation and escalation.

In the initial discovery phase, the attacker profiles a system and gathers information. They may try to locate unsecured test servers using DNS zone transfers, perform port scans and ping sweeps to determine potential access points, and identify what software versions the server and web app are running through a variety of exposed footprints, including HTTP headers and verbose error messages. They’ll also run automated fuzz testing² software to pass invalid and random data into your app to uncover easy security holes.

The attacker assesses the information and uses it to exploit the system and gain access, perhaps through an unpatched web framework that identifies its old version number in the HTML. Finally, having gained a foothold in the system, the attacker attempts to escalate their privileges to full administrator access. A security hole that allows the user to display any server file to screen, for example, could be used to view the database configuration file, whose connection settings may also allow access to the main web server.

If a suitable exploit can’t be found, a malicious attacker with an agenda may resort to a denial of service (DoS) attack. This floods the web app servers with traffic in an effort to cripple the service under load.

Attacks can be targeted at the app software, the server software, the network software, the hardware or even at the people who work on the app.

The layers of web app security

Social engineering hacks and countermeasures

The easiest way into a system is to be given the keys. All the technology security in the world won’t stop a hacker who has genuine access to the system. Obtaining access credentials through personal persuasion and manipulation is often referred to as wetware hacking, rather than software or hardware hacking.

In the discovery phase the attacker undertakes reconnaissance on the target, typically someone working on the app. Thanks to personal blogs, public social media profiles and domain registration records, it can take only a few minutes to identify addresses, service and utility providers, birthdays, holiday schedules, phone numbers and the full names of friends and family.

Armed with this information, the attacker exploits the target with pretexting: inventing a fake scenario based on their current knowledge of the target. This may be a phone call, email or online message from a colleague or service provider, where the basic information is used to establish a sense of authenticity and trust. This can be used to further flesh out the information for a later and greater hack or, in the case of phishing, it is used to ask outright for access credentials.

For example, it wouldn’t be difficult for an attacker to use social media to discover that a target’s colleague is on vacation in Barbados; they may even be able to download a recent photo of them on holiday. Armed with this, the attacker could create an ostensibly authentic online webmail account from which to email the target with, “Greetings from Barbados! PS I’ve forgotten my work email account details. Can you reset them for me please?” Once this has been granted, an escalation to full access is straightforward.

There are several effective countermeasures against social hacking.

Awareness

Ensure that everyone on the app team understands how social hacks work and what they look like. As we’ll see, a fundamental rule of web security is to never trust input, which extends to input from telephones, emails and instant messages.

Training

If you work in a large organisation, recognise that social hacks can begin with anyone. Policies and training need to clarify which information is sensitive, and how and when to check the validity of someone’s identity. Be a good citizen and let your friends and family know too.

Privacy

Limit the amount of personal information that you put online and enable privacy options where available.

Passwords

Secure your computer by enabling a password-protected screensaver when away from it, and disabling auto-login from reboots. Use keys³ rather than passwords for server access to make it more difficult for an attacker to overhear or sneakily read a password being typed in. To control the damage of any breaches, use unique strong passwords for each system: don’t re-use passwords. This is advice that everyone preaches but few practise, but there is now little excuse thanks to password manager applications like 1Password⁴ that also synchronise passwords between computers and mobile devices.

Network hacks and countermeasures

Routers, switches and firewalls act as the first line of defence for your app, protecting it from a deluge of unwanted probes and attacks. It’s likely that you will initially host your app on a third-party network, in which case the security of the network components lies mostly outside of your control, except the choice of provider.

Attacks at this level commonly include physical tampering (to eavesdrop on network traffic, perhaps) and exploitation of low-level protocols, services and data.

Countermeasures that you should discuss with your provider, or implement in-house when the time arrives include:

• Patches: update firmware and other component software regularly.
• Security: ensure adequate physical security and control access to the hardware.
• Passwords: change all default component passwords to strong, unique passwords.
• Privacy: remove component footprints and identifiers from outgoing messages.
• Blocks: block and disable all unused ports, protocols and services. For example, disable FTP and Telnet ports and services in favour of SFTP and SSH.
• Filters: block or filter low-level traffic that can be used in DoS attacks, such as ICMP messages⁵.
• Logs: log and regularly audit traffic, especially blocked and unusual requests.
• Detection: implement an intrusion detection system (IDS) that detects attempted attacks and notifies an administrator.

Server hacks and countermeasures

Web servers are powerful machines that host valuable websites and databases. They also have fast access to the internet. As such they make an attractive target to attackers and, given their mix of hardware and complex software components, they make a large target to hit.

Most of the previous network countermeasures also apply to servers: secure the physical hardware; use strong passwords or keys; remove software footprints; disable unused services and ports; log traffic and regularly patch the software.

Additionally, you should lock down the server software. The web server (Apache, IIS and so on) should run as a non-root user, with the minimum possible privileges. Grant the server access to files within the web root only and ensure that only the root user can change the web server configuration file. All other users on the server should be suitably locked down.

Tweak the connection settings, if necessary. Optimum values will depend on the amount and size of files that your app serves and requests from users. Adjust the settings that control HTTP connections, such as the valid maximum size of requests and the number of Keep-Alive requests per connection. This can help the server to withstand DoS attacks.

Directory browsing and server-side includes should be disabled. Filter some malevolent requests automatically with a module like mod_security (Apache) or UrlScan (IIS).

Web app hacks and countermeasures

A web app exposes a minefield of vulnerabilities:

• To identify the current user, the stateless nature of HTTP compels most apps to send a cookie from the browser to the app. This is frequently in plain text and across an unsecured connection.
• An app must accept and process a wide variety of user input, and often shares the input with other users.
• Apps are often built with third-party libraries, which may expose their own vulnerabilities. Similarly, apps increasingly rely on third-party services and APIs for content and functionality, which present additional routes into the system.
• An app is responsible for the security of its user accounts and personal data. It must account for weak user passwords and poor user security decisions.

Web app attacks are not necessarily sophisticated. At least half of 2010’s most common vulnerabilities⁶ were exploited through simple manipulation of user input, including query string parameters and HTTP headers.

SQL injection

Most apps create dynamic SQL queries based on URL parameters or user input. The URL http://app.com/user/23 might be interpreted by the SQL statement SELECT * FROM user WHERE ID = $id where the $id variable is dynamically inserted from the URL by server-side code. The attacker can manipulate the input value so that additional code is interpreted by the SQL statement. For instance, http://app.com/user/23;+DROP+TABLE+user; attempts to run a second statement on the database to delete user data.

Cross-site scripting (XSS)

Most apps incorporate data added by the user into the HTML. For example, a search for the term Dogtanian might result in “Your search for Dogtanian returned 3 results”. An attacker can manipulate this to insert scripts into the HTML that run from the same origin as the main website and, therefore, have access to trusted user data. An example exploit search might be:

Cross-site request forgery (CSRF)

As the name suggests, an attacker may imitate a request to the app from an unsuspecting user while they browse another website. If an app uses URLs for important actions (a GET HTTP request rather than a POST request) and a cookie is trusted for authentication, it is exploitable.

For example, a link in an app to transfer money might have the URL:

http://app.com/transfer?to=mother&amount=500

…where the user cookie identifies who the request is from. An attacker can copy a similar link to their website inside an image element, so that the request to the app is unnoticeable:

If a user who has been previously authenticated with the app visits the attacker’s website, the browser will send the app’s authentication cookie to the app when it requests the image, which triggers the app into performing the attacker’s action.

Session hijacking

If an attacker can monitor unsecured HTTP traffic between a user and the app, they can capture the user’s cookie and use it in their own requests to spoof the user’s session. This is easier than it sounds, as the Firesheep⁷ tool demonstrated: traffic on an open wireless network is simple to intercept.

Countermeasures

The most important defence against these attacks is to never trust input. Assume that all input outside of your control is malicious, including that from users, from HTTP headers and from third parties.

It is better to constrain valid input than to only check for malicious input. If a user ID is always an integer between 1 and 10,000,000, constrain the allowed values to this range. Constrain input by type (integer, string and so on), length (number of characters) and format (such as a valid email address). If it doesn’t match, reject it. Never rely on client-side validation alone.

Log and reject invalid input. Check input for common hacker patterns in multiple character encodings. This includes script elements, SQL statements and file paths. Sanitise input before it is displayed in the output. For example, a search string should rarely contain HTML code, so strip the input of all markup and convert all HTML entities in the output. Only use parameterised SQL queries and stored procedures, which strictly sanitise SQL input.

Validate the source of input where possible. If you expect input from a POST request, do not accept the same parameters from a GET request. Consider checking the HTTP referrer, though this can be spoofed easily. Similarly, consider including the IP address and user agent of the authenticating user in their cookie identifier as a checksum (to be checked on each subsequent request), taking into account that these too can be spoofed and should not be solely relied on.

A better solution for important forms is to use a form token. At the start of a user session, create a long random token for the user and store it in their server-side session data. Include this token as a hidden field in every POSTed form; if the token in a request doesn’t match the server-side value, reject the request. To further enhance security, make sure the token only works for a limited amount of time before generating a new one.

Other important web app attack countermeasures:

• Use a secure connection (HTTPS) for the transmission of sensitive data, including registration and login credentials.
• Unless your JavaScript needs to access cookie information, add the HttpOnly parameter to the end of your Set-Cookie statements to enable HTTP-only cookies. This will prevent malicious JavaScript from gaining access to a user’s cookie data in most browsers.
• If you decide to implement HTTPS by default across all pages of the app, add the Secure parameter to your Set-Cookie statement so that cookies are only sent for pages with secure connections.
• Do not include sensitive information in cookie data.
• Do not pass sensitive information in HTTP GET URLs.
• Don’t rely on a cookie for identification when a user asks to change important data. Have the user reconfirm their current password in order to change their password, email address or other important information.
• Do not use GET requests for important actions in the app. Any request that results in a change of data on the server should be performed by a POST only.
• Create a database login for the app’s connection with the least amount of privileges possible. An app usually doesn’t need to create, drop or truncate tables, so remove those privileges.
• Always explicitly set the character encoding of HTML output to prevent UTF-7 encoded hacks in Internet Explorer⁸. You can also send an X-Content-Type-Options: nosniff header field to tell Internet Explorer not to guess the MIME-type of content.
• Send an X-Frame-Options header field with a value of SAMEORIGIN or DENY to prevent other websites from mimicking your app by displaying your pages inside a frame.
• Add the autocomplete="off" attribute to form fields that request sensitive information.
• Never leak information in error messages. Always return a generic error page.
• Keep third-party libraries up-to-date.
• Never store a user password in plain text. Store a hash⁹ of the password and use the same hash algorithm to compare and verify the password when the user logs in. Do not use an MD5 hash, which can be easily cracked with freely available rainbow tables¹⁰. Instead, use a slower algorithm like bcrypt¹¹.
• Enforce strong passwords. Sophisticated password encryption is worthless if the user chooses an easily guessable password. Don’t go over the top and insist on thirty-two obscure characters, but do require a minimum length of eight characters and at least one special character (@, $, and so on).

Summary

Even the smallest web app faces attack from thousands of indiscriminate hacking tools; put basic security measures in place to protect your app and your users’ data.

• Everyone working on the app should be aware of social hacks and how they work.
• Ensure that your hosting provider is secure and that it keeps its systems updated.
• Keep all software, including third-party libraries, updated.
• Configure your web and database servers to minimise risk.
• Never trust user input. Assume that all input can be malicious, including header information. Reject invalid input rather than trying to clean or convert it.
• Never display raw user data to the screen: always sanitise it.
• Use HTTPS for sensitive credentials, including login, registration and financial data.
• Don’t let your users create weak passwords, and encrypt passwords with a slow algorithm like bcrypt.

• ¹ http://www.tufin.com/news_events_press_releases.php?index=2010-04-14
• ² http://en.wikipedia.org/wiki/Fuzz_testing
• ³ http://en.wikipedia.org/wiki/Public-key_cryptography
• ⁴ http://agilewebsolutions.com/onepassword
• ⁵ http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
• ⁶ http://www.owasp.org/index.php/Top_10_2010-Main
• ⁷ http://codebutler.com/firesheep
• ⁸ http://code.google.com/p/doctype/wiki/ArticleUtf7
• ⁹ http://en.wikipedia.org/wiki/Hash_function
• ¹⁰ http://en.wikipedia.org/wiki/Rainbow_table
• ¹¹ http://en.wikipedia.org/wiki/Bcrypt