Protection Against Session Hijacking• Use encryption• Use a secure protocol• Limit incoming connections• Minimize remote access•
Input Validation• One of the key concepts you must accept is that user input is unreliable and not to be trusted. – Partially lost in transmission between server & client. – Corrupted by some in- between process.
Strong Password• Do not store password as plain text• Do not try to invent your own password security• Do not encrypt passwords as they are reversible. Security through
Strong Password• Do not use MD5 – though this cryptographic hashing function is irreversible , it is quite easy to make a list of millions of hashed passwords (a rainbow table) and compare the
XSS• Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation.
XSS Condition1. A Web application accepts user input – Well, which Web application doesnt? –2. The input is used to create dynamic content
Who is Affected By XSS• XSS attack’s first target is the Client – Client trusts server (Does not expect attack) – Browser executes malicious script•
Impact Of XSS - Attack Access to authentication credentials for Web application• Cookies, Username and Password Ø XSS is not a harmless flaw !• Normal users Ø Access to personal data (Credit card, Bank Account) Ø Access to business data (Bid details, construction details) Ø Misuse account (order expensive goods)
Impact Of XSS - Attack• Denial-of-Service – Crash Users`Browse r, Pop-Up- Flodding, Redirection• Access to Users` machine – Use ActiveX objects to control machine
Preventing XSSPreventing XSS Means Preventing….• Subversion of separation of clients – Attacker can access affected clients’ data – Industrial espionage• Identity theft – Attacker can impersonate
XSS Solution• Implement XSS- Prevention in application• Do not assume input values are benign• Do not trust client side validation• Check and validate all
What to consider as an “INPUT”• Not only field values with user supplied input• Should be treated as Input: – All field values: Even hidden fields – All HTTP header fields: Referer – And even the
How To Perform Input Validation• Check if the input is what you expect • Do not try to check for "bad input"• Black list testing is no solution
SQL Injection• SQL injection is similar to XSS, in the fact that not validated data is being used. But in this case this data is passed to the database. – Arbitrary query execution • Removal of data.
SQL Injection• SQL injection vulnerabilities come in two main forms.• Both forms involve injecting SQL code into a website.• (1) Injecting into a form. Such as username and password boxes
Goals Of SQL Injection• Your goal as an injector is to outsmart the SQL server.• SQL server is normally running as either the local system account, or a domain user account, an
Goals Of SQL Injection• attacker might use xp_regXXX these functions to read the SAM, change the configuration of a system service etc
How SQL Injection Works• Before you protect from an injection, you must first understand how SQL works.• the username and password you entered is kept in the sites member table• The login form takes the
Escape SQL• If database interface extension offers dedicated escaping functions, USE THEM! – MySQL • mysql_esc ape_stri ng() • mysql_rea l_escape
REST Web services● Representational State Transfer defines a set of architectural principles by which we can design Web services that focus on a systems resources, including how resource states are addressed and transferred over HTTP by a wide range of clients written in different languages.● REST has emerged in the last few years alone as a predominant Web service design model.● REST has had such a large impact on the Web that it has mostly displaced SOAP- and WSDL- based interface design because its a considerably simpler style to use.
Use HTTP methods explicitly● REST asks developers to use HTTP methods explicitly and in a way thats consistent with the protocol definition.● This basic REST design principle establishes a one-to-one mapping between create, read, update, and delete (CRUD) operations and HTTP methods.
Use HTTP methods explicitly (cont.) According to this mapping:● To create a resource on the server, use POST.● To retrieve a resource, use GET.● To change the state of a resource or to update it, use PUT.● To remove or delete a resource, use DELETE.
Be stateless● The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.
Expose directory structure-like URIs Some guidelines about URI structure for a RESTful Web service are:● Hide the server-side scripting technology file extensions (.jsp, .php, .asp), if any, so you can port to something else without changing the URIs.● Keep everything lowercase.● Substitute spaces with hyphens or underscores (one or the other).● Avoid query strings as much as you can.● Instead of using the 404 Not Found code if the request URI is for a partial path, always provide a default page or resource as a response.
Transfer XML, JSON, or both● The last set of constraints that goes into a RESTful Web service design has to do with the format of the data that the application and service exchange in the request/response payload or in the HTTP body. This is where it really pays to keep things simple, human- readable, and connected.
JSON ArchitectureJSON is built on two structures:● A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array.● An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence
JSON Functions JSON Functions used in PHP● json_decode — Decodes a JSON string● json_encode — Returns the JSON representation of a value● json_last_error — Returns the last error occurred