十月 2007

維護本站運作，提供具參考價值內容，請踴躍捐助，作為贊助本站經費的一點心意！

 

1. remove all source comments and/or debug messages
- comments can divulge important information like database name, user logins, and passwords.
- debug messages can reveal trace of internal application details

- disable error reporting in a production site to avoid working details being revealed 2. don't use overly helpful error message
- error messages like "invalid username" and "invalid password" reveals a legitimate username.

3. never use default user id and/or password
- default user id (eg. 'root', 'admin' or 'sa') and default password should never be used as is.

4. don't put up a file unless you're ready to make it public
- even if no link is shown on the web pages, user may still get to it by guessing the filename.

5. never trust input originates from a client
- re-validate all input values on the server, don't rely on client-side restrictions.
- use white-lists and/or black-lists to validate input if possible
- filter out special characters, code, commands, and scripts from any input to avoid SQL- and Command-Injection, NULL-String Attacks or Cross-Site Scripting
- don't forget to check for all different representations of the same characters
- truncate all input at reaonable length to prevent buffer overflows

6. be careful with the use of hidden fields and URL parameters
- because value may be altered by malicious users to conduct State-Based Attacks
- use cryptic names whenever necessary to add some degree of protection

7. don't store important information in cookies
- because value contained and expiry timestamp may be altered by malicious users
- encrypt the data and set the secure flag and/or domains to increase security

8. implement good session management to prevent Session-Hijacking or Session-Fixation
- generate new session upon each visit, and protect the session id
- timeout session after a specified period, disallow expired sessions to be reactivated
- track if a session is used by more than one user, invalidate it if necessary

9. adhere to the 'least privilege' security principal
- only give users the minimum rights they need
- run your web server and connect to database using an account with appropriate rights, avoid the use of 'root' or 'admin'

10. use strong authentication
- enforce policy to use long password and user id with mixture of numbers, upper- and lowercase letters and punctuation
- use http-basic, http-digest, nonce, CAPTCHA or SSL to secure authentication if necessary

11. make sure your web server is well protected
- hide your web server identity
- use firewall, intrusion detection system (IDS) or bandwidth management to protect against Denial of Service
- avoid launching OS commands from the web server, and confine the 'root' directory of your web server to the document root

12. protect user privacy
- be aware of the use of User Agents, Referrer, Cookies, Web Bugs, Clipboard
- disable caching for pages that may contain sensitive information
- only use benign ActiveX controls or Browser Help Objects

13. protect your web services
- beware of WSDL scanning, debugging information or functions may be exposed
- verify the received XML content, paramters maybe tampered
- check for Recursive Payload attack, Oversize Payload attack, and External Entity attack

Other techniques/precautions:
- check whether actual byte count of data submitted match the 'content-length' of HTTP header
- use HTTP_REFERRER to check where the web request come from
- only use algorithms that are well known and secure when data encryption is necessary
- set PHP option "open_basedir" to restrict file access to certain folders
- set PHP option "allow_url_fopen" to "off" to disable data retrieval from remote location to prevent code injection
- explicitly declare and initialize global variables before use, and only use variables that you have defined
- use PHP addslashes(string) function to escape all the special characters
- use PHP htmlspecialchars() or htmlentities() with ENT_QUOTES option to convert all special charaters to HTML entities