I used to work as a Security Engineer in Switzerland(Lausanne) for 5 years. Part of my job was Ethical Hacking and performed pentest on various projects with a speciality on web technologies.
Right now I shifted to the defence side and joined forces with IT Operations and developers. I have to say I was rather surprised to see not anyone of them had any awareness about security and impact of their works. Their daily job was to deliver new feature and make the whole run smoothly. Security was often the leftover child in any web project. No time, not enough skill, teams often relies on external entities to assess their security and have trouble understanding the problems and correcting them.
Today I’d like to give you hints & tips to assess your security without using outside consultants, and perform the most important tasks in order to secure your web project.
Top 10 of web vulnerabilities
First, you should know what your website is at risk . Below you can find the official TOP10 list of the attacks attempted on websites in 2013. This project is maintained by the Open Web Application Security Project (OWASP) who aims at securing the web and helping developers.
- A1–Injection :Most of the time SQL injections to take access on database (SQL Injection).
- A2–Broken Authentication and Session Management: To bypass authentication or authenticated sessions
- A4–Insecure Direct Object References : Perform actions on other users account
- A5–Security Misconfiguration: Bad security configuration and default values
- A6–Sensitive Data Exposure ：Reveals sensitive data on demand
- A7–Missing Function Level Access Control: Can access higher privileges function without access control
- A8–CSRF (Cross-Site Request Forgery) : Uses authenticated session on your behalf
- A9–Using Components with Known Vulnerabilities): Using old or vulnerable libraries and software
- A10–Unvalidated Redirects and Forwards: Change the parameters on your redirection links
For further details you can download the full version including explanation and examples for each attack:
Assessment of the Security level of your application
In order to help you assessing the security of your project, OWASP created an Application Security Verification Standard (ASVS). This project provides a checklist in order to assess your security level. It is divided in several categories from Authentication to Server Configuration and even Mobile Assets in the latest version. There is three level of scoring :
- Minimum Security level required
- Active checks and security enforcement
- Advanced security processes
If you validate all the criteria in Level 1 you can consider your application secured to automatic tools most of the time. At level 2 your application is robust enough to prevent low skill hackers. At level 3 your application should be able to resist more advanced attacks and even detect it correctly. So basically your job will be to comply these checks on your website to ensure this particular level and make it your goal for security enhancement.
I built an optimised checklist using LibreOffice to help you performing the checks. It calculates automatically the valid results and display the graph corresponding to your security level.
You can download ASVS-3-0.
Become a Hacker and test your project yourself
Most of people thinks it’s complicated and requires a lot of skills to test your website. Of course professional pentesters will always be more accurate, but you can already test a lot by yourself using free software, tools and some tricks. It takes a bit of time and you should only try this on your test environment. These tools might be dangerous and break your website for good !! So make a backup and let’s play !
- SQL Injection:
- Use a tool such as SQLMap to test your URLs by yourself. This tool will automatically test SQL injection attack on all the parameters of an URL or POST parameter you will provide.
- Code review on all your SQL queries and check if the data is sanitized. If you have a doubt you can enter weird value to see if it breaks your website : ” ‘ OR 1=1;– “, ” ; INSERT into user(…)” , ” UNION SELECT 1,null,null … “, ” ORDER BY 10 —“.
- XSS (Cross-Site Scripting) :For testing XSS the best solution is to use the tool XssMe which is provided as a Firefox extension which can test all the forms of the page. But more than tools, doing it manually can be very interesting. Basically you have to try to input “evil” values in your forms or any input and see if it breaks something or trigger on your site unwanted behaviour. For a starter you can test the followings and copy/paste these strings as is:
- <h1 class=’font-size:52px;color:red;’>Boo</h1> (Test if you can trigger HTML to be interpreted from your inputs)
- ‘><h1 class=’font-size:52px;color:red;’>Boo</h1> (Same with some escape characters)
- <svg width=”800px” height=”300px”><text x=”0″ y=”150″ font-family=”Verdana” font-size=”60″ fill=”red”>YOU HAVE BEEN HACKED </text></svg> (Test if you can trigger SVG to be interpreted from your inputs)
- ‘><svg width=”800px” height=”300px”><text x=”0″ y=”150″ font-family=”Verdana” font-size=”60″ fill=”red”>YOU HAVE BEEN HACKED </text></svg>
- “><svg width=”800px” height=”300px”><text x=”0″ y=”150″ font-family=”Verdana” font-size=”60″ fill=”red”>YOU HAVE BEEN HACKED </text></svg>
- If you see anything strange happening to the rendering or unexpected you can be pretty sure that you are vulnerable to XSS and you should check how to protect yourself
- Insecure Direct Object References: To test this vulnerability the best way is to log with an account, copy a link that only this user should be able to see/click, then login on another account and paste the link and see if you can access it or change parameters for this calling. Basically if you can access other’s account information once your logged in it means you only protected authentication but not authorization. Once logged in, users can access everything… and I bet it’s not what you wanted 🙂
- Vulnerable Components: It is often the simplest but few people do this. Basically for each library you are using you should be able to check if there is currently vulnerabilities affecting your project. To help with this task each country as a CERT that displays information about software at risk. Here are the ones for Japan, U.S.A and Great Britain. They also have resources to help you deal with security and good practices. You can also refer to specialized hacking websites such as Exploit-DB and CVE-CCE. Of course you can also check your software vendor websites and check if they have security advisories such as Symfony for PHP projects. If you are really interested into testing your website like hackers I highly recommend you to have a look at the Metasploit Framework. This is a framework to exploit vulnerabilities simply and gain control over computers through it.
Improve your security level
Now that you could assess your security level, and test your security level and maybe found some nasty things, the next steps is obviously to patch things up and repair the mess before anything bad happens. As for the security checks I’ll provide most important area to consider when securing your website:
- Secure access to database : Each one of your request to database should either use ORM(Object Relational Mapping) or parameterized queries!! No exception ! no “home-made” functions because all languages have libraries to do it safely much better and tested than yours! This is really important and failure in that case could lead to SQL Injection, data theft, dump your all database, steal password , and possibly gain control over the whole project or servers (using admin passwords… do you use the same password everywhere?).
- Secure your inputs in forms : Once again you should consider every input as “evil” and never evaluate or interpret without prior sanitisation. It exists functions to clean any input from forms to remove any HTML tag and interpret it as simple strings instead of trigger behaviour. You should definitely look for HTML stripping functions in your beloved language!
- Access Control List: This might be the trickiest to solve. Basically users should only have access to their own information both functionally and in terms of data. For data you should make sure to constrain what user can see by adding her user ID into any request made to database to filter results. Regarding functions it gets more difficult: either your framework allow you to do ACL as a configuration or either you have to code an authorization level by yourself by checking who is accessing function (session variables for instance) and decide whether or not you can grant access to the user. You can find more tips& tricks once again on the OWASP website.
- Software Updates: Once you determined whether or not your current version is at risk, the next step can be two things :
- A patch exists and you should definitely upgrade to secure it as soon as possible. (Test it in test environment if available)
- Patch doesn’t exist and you should then see the criticality of the vulnerability to see if it’s worth coding something yourself to repair or at least detect any attempt to use this vulnerability.
That’s all for now, I hope this will give you the first step to dive into security and improve painlessly the security level of your projects !
By the way , out of the blue, I recommend you the very good drama : Mr Robot which is technically pretty accurate !!
Do not hesitate to share and comments if you want to know more or if you like it !!