The most prominent components of web applications that intruders will first seek to exploit are vulnerabilities within the web platform. The web platform commonly includes:
- Web server software (such as IIS or Apache).
- Extensions to the web server, such as ISAPI filters and extensions, or Apache modules.
- Dynamic execution environments like ASP.NET, PHP, and J2EE (also referred to as application servers).
- Services and daemons, such as user forums or web guestbook packages.
- Set a strong password policy which includes Capital letter, Small letter, numbers and some special characters.
- Implement password salting.
- Implement password masking (****).
- Display generic and standard messages in case of authentication failure.
- Validate password policy at both the client side and server side.
- Encrypt the password in storage using a strong algorithm.
- Implement a secure password recovery mechanism.
- Use multifactor authentication for sensitive areas.
- Verify the old password while changing to a new password.
- Make use of OAuth, Centrify, OpenID, and Kerberos or similar tools for implementing single sign-on (SSO).
- Implement the principle of least privilege.
- Implement role-based access control.
- Use JSON web tokens (JWT) for secure authentication and information exchange.
- Implement validation checks to prevent authorization creep, and vertical and horizontal privilege escalation.
Session management flaws
- Set an idle session timeout value to limit the duration.
- Set a complex session ID.
- Invalidate the session upon termination of the browser window.
- Regenerate new session ID upon successful authentication or privilege change.
- Implement protection for cross-site request forgery (CSRF).
Input validation flaws
- Client-side data validation.
- Server-side data validation.
- Blacklisting or whitelisting of input characters.
- Data sanitization.
- Content type checks for file uploads.
- Implement virus scanner for file uploads.
- Output validation and encoding.
- Use prepared statements, parameterized queries, and bind variables in the database.
Auditing and logging flaws
- Capture login/logout, failed login, new user creation, and data modification events. Password changes and detailed activity events should also be captured along with user name, timestamp, and the end user’s source IP address.
- Ensure that logging cannot be used to deplete system resources, for example by filling up disk space or exceeding the database transaction log space, leading to denial of service.
- Ensure that logs are protected from tampering .