Security was a hot topic at TechEd Developers 2007 and I was keen to attend some of the talks related to Web App security in particular. A couple of talks conveyed well the importance of security and showed first hand a number of top vulnerabilities that web apps can be left open to. Below are what I think are the top 5 vulnerabililties you need to be aware of when developing web apps:
- Cross Site Scripting (XSS) : Takes user supplied data and sends to a browser without validation/encoding of the data [more info on cross site scripting].
- Injection Flaws : Again user supplied data is consumed typically as a query string (or any command/query input), tricking the app into running malicous/unwanted commands on data. This usually manifests as SQL injection [more info on inject flaws].
- Insecure Communications : Web apps not encrypting communications of a sensitive nature. Sensitive communication between client and server (i.e. for logging customers in) should force a https connection to protect the user from sniffers and man in the middle attacks (if certificate is signed) [more info on https].
- Improper Error Handling : The leaking of sensitive information as a result of an application error. For a .Net web app ensure customErrors in the web.config does NOT have the value Off on a live web server (default value is RemoteOnly) [more info on customErrors]
- Object Serving Handlers : Allowing users to manipulate a URL or form parameter to gain access to a restricted internal object such as a file, folder, database record, etc. [more info on object serving vulnerabilities]
A top community/site for all security concious web developers is the Open Web Applciation Security Project. I particularly like their top 10 project (10 most critical web application security flaws), which is a great place to spruce up your web app security awareness.