In the recent past there have been several incidences where the security of Kerala based websites has been compromised. Implementing the right security model is a vital part of any Online Portal and in this guest article we hope to cover some important points related to the same.
Cross Site Scripting
CSS is a common attack in websites, consider a scenario when a user inputs a script in user input form which is not validated and stored, so when a new user visits the page or website the script pop-ups with the message. Common attacks are to steal cookies, session information and other sensitive information.
If a malicious script is injected, it seriously affects the website. It can be tied up with a phishing attack.
SQL Injection Attacks
A SQL Injection attack is a common problem in websites, for example when a query is passed in input fields in login form, using CRUD operation against database. It is allowing the user to query the database through some input fields. If a user input text area/ field is not validated, and you are using concatenation of SQL script to load some data from database you are exposed to SQL injection attacks.
Session Hijacking is a way of hacking user’s session state. Session Hijacking is done by guessing session id or by using stolen session Id. Session Id guessing is harder because Asp.net uses 120 bit number as session id. Session hijacking is done by using different methods like cross site scripting, man in middle attack, hack user’s cookie.
Man in middle attack
Man in middle attack is a type of attack between the web server and database. Normally the traffic between web and database server is not protected, so attacker uses this path to sniff the traffic.
Hidden field Tampering
If you allow access to sensitive information stored in hidden fields directly without validating the data coming back from user, you could be affected by tampering the hidden field by the hacker. So the values must be validated with expected values.
View state is not encrypted as it is Base 64 encoded which can be viewed by hacker. So view state should be added with a hash value which is checked in server to avoid tampering and also view state should be protected. So avoid sending sensitive information to and back to the server and client.
Deploy web application
There are various objectives to be done before deploying a website, into production environment, which can avoid some security pitfalls.
# Tracing should be removed before deployment
# Disable Debug mode to false
# Custom error page should be changed to remote only
Some core security principles that should be followed during website development:
# Code Access Security: Run script or execute code under a least privileged account to limit the potential damage.
# Security in Layers: Place check points in all layers in the application which allow only authenticated and authorized users to access.
# User Privileges: User should be assigned with least privilege, with assigned roles and which pages can be accessed.
# Application Failure: When the application fails, make sure it does not leave sensitive data unprotected. Don’t include details that could help an attacker to exploit vulnerability in your application.
# Application Logging: Write application and user error in error log’s, database and in Windows event log, depends upon log severity.
# Authentication and Authorization: Restrict user access to access system level resources like files, folders, and event logs.
Last but not the least, have a proper logging mechanism that logs each and every action in your Online Travel application and store this for a minimum of one year. You never know when you need to take a look at an earlier transaction and see what happened.
About the Author
Pradeep is a Senior Software Engineer in Teknokraaft (www.teknokraaft.com), a Trivandrum based company specialising in delivering technology solutions to Travel companies across the globe. Pradeep is part of the Online Travel Application team.
Kerala IT News