Web Application Security

Raymond Camden

jedimaster@allaire.com

What We Will Discuss…

Identify and Protect Input Points Security Through Obscurity… Cross-site scripting Web Server Tips Resources Q & A

Input Points

Web communication is stateless Page A passes information to Page B

– URL parameters– Form fields– Cookies

Input Points – URL parameters

Visible to the user Easy to change

Input Points – Form variables

Like URL variables, form variables should be checked before being passed to SQL

Don’t rely on JavaScript checking Hidden fields are harder to change, but not

impossible

Input Points – Cookies

Don’t store information in unencrypted form Treat them just like URL vars.

Security Through Obscurity…

Is not really security! If you are going to do it, do it right. Keep includes and custom tags out of the web

root. Encrypt URL values, give them weird names.

Cross-site scripting

Again, it’s the input! User input displayed on screen, and in context For more info, see:

http://www.cert.org/advisories/CA-2000-02.html

Web Server Tips

Turn off Directory Browsing! Beware IIS and +.htr and ::$DATA This URL patches +.htr

– http://www.microsoft.com/technet/security/bulletin/ms00-031.asp

Info on ::$DATA– http://www.allaire.com/handlers/index.cfm?

ID=8729&Method=Full

Resources

Allaire’s Security Zone– http://www.allaire.com/developer/SecurityZone/

Security Best Practices – http://www.allaire.com/handlers/index.cfm?

id=10956&method=full

Q & A

Contact Information:– jedimaster@allaire.com