Who Should Read:
- All java architects/developers/designers.
- All who are interested to understand the best practices to avoid secuirty loop holes in a web application.
7 Coding/Design practices to secure your web application
- Input Validation:
- Prefer to have white list validation instead of black list validation.Idea is to accept input data which belongs to the set of known good values.
- Regular
Expression can be a good choice for implementing while list validations.For e.g
public boolean validatePostCode(String code) { return (code != null &&Pattern.matches("/^(((2|8|9)\d{2})|((02|08|09)\d{2})|([1-9]\d{3}))$/",code)) ? true : false;}
- One should always prefer third party while list validatiors. Apache Commons validatior can be a good choice for input validation.
- Secure File Upload:
- Try to upload files on some dedicated file area instead of directly storing in database or on some location in website tree.
- Also apply validation checks for size, mime type and file type.
- Java Mime magic library can be a good choice to validate mime type.
- Also use to scan uploaded files. You can invoke antivirus CLI via Java Run Time to scan files on the fly.
- Output Encoding ( Escaping):
- Escape html before inserting data into html elements for e.g. <body> escapeHTML(data) </body> .
- Encode following 5 characters into html entities (& to & > to < < to > “ to &qot; ‘ to ' / to /
- Escape java script before putting any data in java script elements for e.g. <script>alert(‘escapeJavaScript(data)’ </script>
- Escape URLs e.g < a href="escapeURL(url)" />
- Escape XML
- You can use a apache commons StringEscapeUtils class to perform all above encodings. There are readymade methods like escapeHtml, escapeJavaScript, escapeXML, escapeURL
- Exception Handling:
- Exception stack traces should not be displayed on browser.
- Never let any exception leak any sensitive information to user/browser.
- Catch each and every exception on the server and translate exception in a relevant error message.
- Global exception handler can work for all uncaught errors.
- Logging:
- What to log: All security related events like login, accessing a URL, changing role, assessing a resource.
- What not to log: Any confidential or sensitive information like passwords, user credit card details etc.
- Security API:
- OWASP Enterprise security API provides all essentials security services.
- Spring security can be a good decision for Authentication and Authorizations.
- Bouncycastle can be used as light weight cryptography API.
- Avoid SQL injection:
- Always use prepared statement to support parametrized queries.
- Avoid string concatenation or string replacement to form queries.
Very good Blog with relevant examples
ReplyDeletePlease feel free to post some more practices and examples here .I will keep updating this article.
DeleteVery good post . Not only developers , testers can also benefit from these points.
ReplyDeleteI dislike the title of this article. Even if you implement all these suggestions then your application won't necessarily be secured. You would have reduced the risk of a successful attack but to say it's secured is an overstatement. For instance you're application could be very vulnerable to a (d)dos attack.
ReplyDeleteIntent of this blog is to present 7 important practices to secure a web application. I fully agree with you that these guide lines may not be sufficient to ensure 100% security. Even any highly secure website can be vulnerable now a days. Only way is to keep evolving.
DeleteThis blog is also avaliable on server side @ http://www.theserverside.com/discussions/thread.tss?thread_id=63580
ReplyDeleteVery nice article, well explained in a simple way. These are really loop holes in web security that we need to consider while designing application.
ReplyDeleteYou should also share guidelines for code security
ReplyDelete