This article covers some of the common techniques for securing your website using coding techniques. Although I will touch on non-coding issues, the focus of this article is on your code. Adding security is about adding layers of protection. The more layers you add, the more secure your website is from hackers.
Adding security is about adding layers of protection. The more layers...the more secure. --Mike Prestwood |
It's about attitude:
- Be Pessimistic - If you're a positive, the glass is half full, kind of person like me, train yourself to be pessimistic when it comes to security. Don't think "if a hacker", think "when".
- Build In Security from the Beginning - Understand security risks and build in reasonable security precautions right from the start of your project. If you are retrofitting a website, focus first on public pages (pages that do not require authentication).
Non-Member Pages at Higher Risk
Although you should take precautions with all pages of a website, you should pay particular attention to public pages (pages that do not require some type of authentication). Also consider limiting the number of public pages. Review your list of public pages and see if you can convert some of them to members-only.
13 Ways To Harden Your Code!
In addition to coding techniques...proper configuration of your servers is critical! --Mike Prestwood |
The following general advice is for all languages. If you're a good developer, you can implement these concepts in your language of choice.
1. Validate Query String Length
If you know the max query sting length you use is under 80 characters, then validate the passed in query string is less than 80 characters.
2. Filter Query String Against a Blacklist
Consistently use maxlength to keep casual hackers from experimenting with your form fields. This does not prevent a hacker from posting from their website but it does help discourage the casual hacker.
- (
- )
- --
- ;
- 0x
- cast
- create
- declare
- delete
- [d_rop]
- exe
- go
- insert
- nvarchar
- select
- set
- script
- update
You'll have to be careful with this list as you are likely to get a lot of false positives. You may wish to have an email sent to you whenever a false is returned so you can review for false positives.
For ASP Classic, this could be a function something like...
Function IsURLSafe
Dim TheURL
Dim RetBool
TheURL = Request.ServerVariables("QUERY_STRING")
RetBool = True
If Len(TheURL) > 100 Then
RetBool = False
ElseIf InStr(1, TheURL, "", vbTextCompare) > 0 Then
RetBool = False
ElseIf InStr(1, TheURL, "nvarchar", vbTextCompare) > 0 Then
RetBool = False
ElseIf InStr(1, TheURL, " 0 Then
RetBool = False
ElseIf InStr(1, TheURL, "/s_cript", vbTextCompare) > 0 Then
RetBool = False
End If
IsURLSafe = RetBool
End Function
3. Validate Form Field Lengths
One trick hackers do is they simulate posting a form. They look at what you are posting (easily done with View Source in most browsers) and they experiment with what they can post. One of the tricks they use is they add onto existing form fields. Therefore, you should validate the length of your posted form fields.
4. Filter Form Fields Against a Blacklist
Similar to #2 above, filter your form fields against a blacklist. Something like the one above.
5. Use Strong Type Casting
Use strong type casting or validate variable type for any input fields (verify numbers are numbers, dates are dates, etc.) Do this EVEN when calling parameterized stored procedures.
6. Use HTML's MaxLength
Consistently use maxlength to keep casual hackers from experimenting with your form fields. This does not prevent a hacker from posting from their website but it does help discourage the casual hacker.
7. Prevent Cross Website Scripting (XXS)
Cross website scripting is posting from one website to another; sometimes known as XXS. To prevent XXS attacks, you can validate the posting data came from a valid source. For example, you can check a session variable or pass an encrypted checksum hidden field. You have to encrypt your checksum because most browsers allow you to see the form code (including hidden form fields) by viewing the source of the HTML page. For that reason, many developers prefer using session variables or other means.
8. Filter Dynamic SQL
If you build SQL statements from form fields, you should create a filter routine that checks for known hacks and call this filter prior to executing any SQL statement.
For ASP Classic, this could be something like...
Function IsSQLSafe(TheSQL)
IsSQLSafe = True
If InStr(1, TheSQL, "", vbTextCompare) > 0 Then
IsSQLSafe = False
ElseIf InStr(1, TheSQL, "union", vbTextCompare) > 0 Then
IsSQLSafe = False
End If
End Function
9. Limit Number of Attempts
Because hackers generally have to try many different attacks prior to finding a security vulnerability on your website, limit the number of form posts. For example, if you currently allow unlimited attempts to sign into your website, limit the number of attempts to 3 or 4 attempts and then lock at the user. You can lockout a user by temporarily banning the IP address, session ID, etc.
10. Time Limit Posts
Because hackers generally use automated software, build in a mechanism to ensure they are not posting more than once every 30 seconds. This suggestion combined with limiting the number of attempts suggested above, is a reasonable approach to limiting hackers experiments.
11. Use a Generic Security Message
Hackers study your error messages to determine how you are preventing them from abusing you (boy that was a mouthful). Make it a bit more difficult and use a single error message for security related errors. If you use error numbers (a best practice), use one error number for all security errors. If you wish, you can even build in a debug mode that uses various error numbers for security errors and a production mode that uses just one error number.
12. Use SSL
Secure Sockets Layer (SSL) is in common use today and protect the HTTP packet (your browser uses https://www.somedomain.com. Although it's not a bad idea to use a SSL for all your forms, most programmers reserve them for when you collect sensitive information such as credit card information and for passwords.
13. Double Encryption
In addition to using SSL for the packets, good website security scrambles sensitive data in the database and makes use of whatever encryption is available in your database (double encryption).
Proper Coding Is Only Half the Solution
In addition to the layers of coding techniques discussed above, proper configuration of your servers is critical! Your network administration is important and includes the proper setup and configuration of your servers. Although a bit out of scope for this code oriented article, here are a few network administration items to review.
Updates - You know it 's critical to keep up with your updates on your workstation. For a healthy and secure server, keep up with the available updates for your server OS, chosen database, and other applications.
Permissions and Rights - Whatever web server and database you use, make sure you understand industry best practices for permissions and rights and setup an in-house procedure that can be easily implemented and reviewed.
Firewall Filters - A good firewall in front of your IIS or other web server can go a long way to preventing hackers. For example, AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.
That's it! I hope you enjoyed this code-centric article on adding layers of security to your websites. If you have suggestions, comments, or questions, please post them below.