web application attacks and must have defence methods

Question

What is your must have defence methods to common web attacks like XSS, Sql Injection, Denial of Service, etc. ?

Edit : I collected your responses under descriptions from Wikipedia. And I add some extra questions to have a complete reference.

Sql Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

• Do not trust user input and validate it as early as possible.
• Don't build SQL from raw user input - use parameters instead.

Cross Site Scripting (XSS)

Cross-site scripting is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

• Never output or execute user-submitted content verbatim.
• HTML-encode all output.

A denial-of-service attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

I know it seems impossible to avoid denial-of-service attacks programmatically, but what you think ?

Brute Force Attacks

In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out.

• Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.
• Add a delay when the password typed in is wrong.

Some extra questions :

• What do you think about web robots that try to post inputs according to your content ? For example SO is using an image validation.

• What do you think about javascript eval function ?

• Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it.

(NOTE : Directory listing is disabled and I host this files.)

Thanks for the replies !

Answer 1

What do you think about web robots that try to post inputs according to your content ? For example SO is using an image validation.

The image validation is called a CAPTCHA. It prevents automated bots from filling out forms and helps to verify that a human is actually submitting the form. These are generally used anywhere that you want to control access to the form. Spam bots will try to fill out contact forms to bypass spam filters, so you may need to add some protection on things like that. For the most part, form abuse is minimal, but you will see it in some cases.

What do you think about javascript eval function ?

It depends on how you use it. Like anything else, don't trust user input. If you're going to run their input through eval() make sure it's run through a decent sanitation process first. This is doubly important if you're storing their input in a database and pulling it back out the displaying it for other users to see. That goes for SQL, HTML, as well as JavaScript. If someone can get JS code executed with enough knowledge about how your site works, they can do all sorts of crazy things and imitate the user who is logged in, change their password, etc.

Are there a way to access content on server which didn't exposed to outside?

As someone else mentioned, this would be security through obscurity and is not recommended. Anything sensitive needs to be put behind a secure login area. Don't rely on the "hidden URL" alone. If someone guesses your special URL or it ends up in a log file that Google has access to, you may never know if someone manages to get in. Put some authentication around things like that.

Answer 2

Your question covers a large scope. I'll try to give you some pointers. If you specify your question more clearly, I can give you some more specific information.

1. Never, ever trust user input. Everything that comes into your application that can be manipulated from the outside, must be validated.
2. Never store passwords in plain text in your database. Store the hash (with salt) only. Calculate the hash on the password the user gave and compare the hashes.
3. Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.
4. When using a product or framework, stay on top of the mailinglist for those products and identify security issues. When your underlying framework has a security bug, have a plan ready to upgrade.
5. When using a database do not allow everyone full access to the database (even if you limit access to the database with stored procedures). If someone only needs to read certain data, do not use an SQL-account that can also modify data.
6. Regarding your question: "Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it."
   You may think that someone cannot access your page simply because they don't know the url. This is security through obscurity and will never work in the long term. The Google index spider will simply try to walk your entire site and index every page it can access. If you have pages with sensitive information, add an authentication and authorization mechanism.

Answer 3

• Validate everything as early as possible.
• Don't build SQL from raw user input - use parameters instead.
• HTML-encode all output.

Answer 4

We use a tool called fortify to scan our software http://www.fortify.com/ (sorry commercial product but maybe there are more)

It catches user input that is not validated, string concatenation instead of parameters and a lot more.

Just from trying this product you can learn how to program secure.

Answer 5

For XSS and SQL injection: never output or execute user-submitted content verbatim.

Answer 6

The most important is to prevent brute forcing of passwords. That simple by adding a delay when the password typed in is wrong.

Answer 7

Validation!