Securing Web Application Technologies [SWAT] Checklist By SANS
http://kingofdkingz99.blogspot.com/2013/01/securing-web-application-technologies.html
| Best Practice | Description | CWE ID | |
|---|---|---|---|
| display generic error messages | Error messages should not reveal details about the internal state of the application. For example, file system path and stack information should not be exposed to the user through error messages. | cwe-209 | |
| No unhandled exceptions | Given the languages and frameworks in use for web application development, never allow an unhandled exception to occur. Error handlers should be configured to handle unexpected errors and gracefully return controlled output to the user. | cwe-391 | |
| suppress framework generated errors | Your development framework or platform may generate default error messages. These should be suppressed or replaced with customized error messages as framework generated messages may reveal sensitive information to the user. | cwe-209 | |
| Log all authentication activities | Any authentication activities, whether successful or not, should be logged. | cwe-778 | |
| Log all privilege changes | Any activities or occasions where the user's privilege level changes should be logged. | cwe-778 | |
| Log administrative activities | Any administrative activities on the application or any of its components should be logged. | cwe-778 | |
| Log access to sensitive data | Any access to sensitive data should be logged. This is particularly important for corporations that have to meet regulatory requirements like HIPAA, PCI, or SOX. | cwe-778 | |
| do not log inappropriate data | While logging errors and auditing access is important, sensitive data should never be logged in an unencrypted form. For example, under HIPAA and PCI, it would be a violation to log sensitive data into the log itself unless the log is encrypted on the disk. Additionally, it can create a serious exposure point should the web application itself become compromised. | cwe-532 | |
| store logs securely | Logs should be stored and maintained appropriately to avoid information loss or tampering by intruder. Log retention should also follow the rention policy set forth by the organization to meet regulatory requirements and provide enough information for foresic and incident response activities. | cwe-533 | |
| Data Protection Best Practice | Description | CWE ID | |
|---|---|---|---|
| use SSL everywhere | Ideally,
SSL should be used for your entire application. If you have to limit
where it's used then SSL must be applied to any authentication pages as
well as all pages after the user is authenticated. If sensitive
information (e.g. personal information) can be submitted before
authentication those features must also be sent over SSL. Example: Firesheep | cwe-311 cwe-319 cwe-523 | |
| disable hTTP access for all ssL enabled resources | For all pages requiring protection by SSL, the same URL should not be accessible via the non-SSL channel. | cwe-319 | |
| use the strict- Transport-security header | The Strict-Transport-Security header ensures that the browser does not talk to the server over non-SSL. This helps reduce the risk of SSL stripping attacks as implemented by the sslsniff tool. | ||
| store user passwords using a strong, iterative, salted hash | User
passwords must be stored using secure hashing techniques with a strong
algorithm like SHA-256. Simply hashing the password a single time does
not sufficiently protect the password. Use iterative hashing with a
random salt to make the hash strong. Example: LinkedIn password leak | cwe-257 | |
| securely exchange encryption keys | If encryption keys are exchanged or pre-set in your application then any key establishment or exchange must be performed over a secure channel | ||
| set up secure key management processes | When keys are stored in your system they must be properly secured and only accessible to the appropriate staff on a need to know basis. | cwe-320 | |
| disable weak ssL ciphers on servers | Weak SSL ciphers must be disabled on all servers. For example, SSL v2 has known weaknesses and is not considered to be secure. Additionally, some ciphers are cryptographically weak and should be disabled. | ||
| use valid ssL certificates from a reputable ca | SSL
certificates should be signed by a reputable certificate authority. The
name on the certificate should match the FQDN of the website. The
certificate itself should be valid and not expired. Example: CA Compromise (http://en.wikipedia.org/wiki/DigiNotar) | ||
| disable data caching using cache control headers and autocomplete | Browser data caching should be disabled using the cache control HTTP headers or meta tags within the HTML page. Additionally, sensitive input fields, such as the login form, should have the autocomplete=off setting in the HTML form to instruct the browser not to cache the credentials. | cwe-524 | |
| Limit the use and storage of sensitive data | Conduct an evaluation to ensure that sensitive data is not being unnecessarily transported or stored. Where possible, use tokenization to reduce data exposure risks. | ||
configuration and operations
| Best Practice | Description | CWE ID | |
|---|---|---|---|
| establish a rigorous change management process | A
rigorous change management process must be maintained during change
management operations. For example, new releases should only be deployed
after process Example: RBS production outage (http://www.computing.co.uk/ctg/analysis/2186972/rbs-wrong-rbs-manager) | cwe-439 | |
| define security requirements | Engage the business owner to define security requirements for the application. This includes items that range from the whitelist validation rules all the way to nonfunctional requirements like the performance of the login function. Defining these requirements up front ensures that security is baked into the system. | ||
| conduct a design review | Integrating security into the design phase saves money and time. Conduct a risk review with security professionals and threat model the application to identify key risks. The helps you integrate appropriate countermeasures into the design and architecture of the application. | cwe-701 cwe-656 | |
| Perform code reviews | Security focused code reviews can be one of the most effective ways to find security bugs. Regularly review your code looking for common issues like SQL Injection and Cross-Site Scripting. | cwe-702 | |
| Perform security testing | Conduct security testing both during and after development to ensure the application meets security standards. Testing should also be conducted after major releases to ensure vulnerabilities did not get introduced during the update process. | ||
| harden the infrastructure | All components of infrastructure that support the application should be configured according to security best practices and hardening guidelines. In a typical web application this can include routers, firewalls, network switches, operating systems, web servers, application servers, databases, and application frameworks. | cwe-15 cwe-656 | |
| define an incident handling plan | An incident handling plan should be drafted and tested on a regular basis. The contact list of people to involve in a security incident related to the application should be well defined and kept up to date. | ||
| educate the team on security | Training helps define a common language that the team can use to improve the security of the application. Education should not be confined solely to software developers, testers, and architects. Anyone associated with the development process, such as business analysts and project managers, should all have periodic software security awareness training. | ||
authentication
| Best Practice | Description | CWE ID | |
|---|---|---|---|
| don't hardcode credentials | Never
allow credentials to be stored directly within the application code.
While it can be convenient to test application code with hardcoded
credentials during development this significantly increases risk and
should be avoided. Example: Hard coded passwords in networking devices https://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf | cwe-798 | |
| develop a strong password reset system | Password
reset systems are often the weakest link in an application. These
systems are often based on the user answering personal questions to
establish their identity and in turn resetthe password. The system needs
to be based on questions that are both hard to guess and brute force.
Additionally, any password reset option must not reveal whether or not
an account is valid, preventing username harvesting. Example: Sara Palin password hack (http://en.wikipedia.org/wiki/Sarah_Palin_email_hack) | cwe-640 | |
| implement a strong password policy | A password policy should be created and implemented so that passwords meet specific strength criteria. Example: http://www.pcworld.com/article/128823/study_weak_passwords_really_do_help_hackers.html | cwe-521 | |
| implement account lockout against brute force attacks | Account lockout needs to be implemented to guard against brute forcing attacks against both the authentication and password reset functionality. After serveral tries on a specific user account, the account should be locked for a period of time or until manually unlocked. Additionally, it is best to continue the same failure message indicating that the credentials are incorrect or the account is locked to prevent an attacker from harvesting usernames. | cwe-307 | |
| don't disclose too much information in error messages | Messages for authentication errors must be clear and, at the same time, be written so that sensitive information about the system is not disclosed. For example, error messages which reveal that the userid is valid but that the corresponsing password is incorrect confirms to an attacker that the account does exist on the system. | ||
| store database credentials securely | Modern web applications usually consist of multiple layers. The business logic tier (processing of information) often connects to the data tier (database). Connecting to the database, of course, requires authentication. The authentication credentials in the business logic tier must be stored in a centralized location that is locked down. Scattering credentials throughout the source code is not acceptable. Some development frameworks provide a centralized secure location for storing credentials to the backend database. These encrypted stores should be leveraged when possible. | cwe-257 | |
| applications and Middleware should run with minimal privileges | If an application becomes compromised it is important that the application itself and any middleware services be configured to run with minimal privileges. For instance, while the application layer or business layer needs the ability to read and write data to the underlying database, administrative credentials that grant access to other databases or tables should not be provided. | cwe-250 | |
Session Management
| Best Practice | Description | CWE ID | |
|---|---|---|---|
| ensure that session identifiers are sufficiently random | Session tokens must be generated by secure random functions and must be of a sufficient length so as to withstand analysis and prediction. | cwe-6 | |
| regenerate session tokens | Session tokens should be regenerated when the user authenticates to the application and when the user privilege level changes. Additionally, should the encryption status change, the session token should always be regenerated | cwe-384 | |
| implement an idle session timeout | When a user is not active, the application should automatically log the user out. Be aware that Ajax applications may make recurring calls to the application effectively resetting the timeout counter automatically. | cwe-613 | |
| implement an absolute session timeout | Users should be logged out after an extensive amount of time (e.g. 4-8 hours) has passed since they logged in. This helps mitigate the risk of an attacker using a hijacked session. | cwe-613 | |
| destroy sessions at any sign of tampering | Unless the application requires multiple simultaneous sessions for a single user, implement features to detect session cloning attempts. Should any sign of session cloning be detected, the session should be destroyed, forcing the real user to reauthenticate. | ||
| invalidate the session after logout | When the user logs out of the application the session and corresponding data on the server must be destroyed. This ensures that the session can not be accidentially revived. | cwe-613 | |
| Place a logout button on every page | The logout button or logout link should be easily accessible to the user on every page after they have authenticated. | ||
| use secure cookie attributes (i.e. httponly and secure flags) | The session cookie should be set with both the HttpOnly and the Secure flags. This ensures that the session id will not be accessible to client-side scripts and it will only be transmitted over SSL, respectively. | cwe-79 cwe-614 | |
| set the cookie domain and path correctly | The cookie domain and path scope should be set to the most restrictive settings for your application. Any wildcard domain scoped cookie must have a good justification for its existence. | ||
| set the cookie expiration time | The session cookie should have a reasonable expiration time. Non-expiring session cookies should be avoided. | ||
Input and Output Handling
| Best Practice | Description | CWE ID | |
|---|---|---|---|
| conduct contextual output encoding | All
output functions must contextually encode data before sending
it to the user. Depending on where the output will end up in the HTML
page, the output must be encoded differently. For example, data placed
in the URL context must be encoded differently than data placed in
JavaScript context within the HTML page. Example: Resource: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet | cwe-79 | |
| Prefer whitelists over blacklists | For each user input field, there should be validation on the input content. Whitelisting input is the preferred approach. Only accept data that meets a certain criteria. For input that needs more flexibility, blacklisting can also be applied where known bad input patterns or characters are blocked. | cwe-159 cwe-144 | |
| use parameterized sQL queries | SQL
queries should be crafted with user content passed into a bind
variable. Queries written this way are safe against SQL injection
attacks. SQL queries should not be created dynamically using string
concatenation. Similarly, the SQL query string used in a bound or
parameterized query should never be dynamically built from user input. Example: Sony SQL injection Hack (http://www.infosecurity-magazine.com/view/27930/lulzsec-sony-pictures-hackers-were-school-chums) | cwe-89 cwe-564 | |
| use tokens to prevent forged requests | In order to prevent Cross-Site Request Forgery attacks, you must embed a random value that is not known to third parties into the HTML form. This CSRF protection token must be unique to each request. This prevents a forged CSRF request from being submitted because the attacker does not know the value of the token. | cwe-352 | |
| set the encoding for your application | For every page in your application set the encoding using HTTP headers or meta tags within HTML. This ensures that the encoding of the page is always defined and that browser will not have to determine the encoding on its own. Setting a consistent encoding, like UTF-8, for your application reduces the overall risk of issues like Cross-Site Scripting. | cwe-172 | |
| Validate uploaded files | When accepting file uploads from the user make sure to validate the size of the file, the file type, and the file contents as well as ensuring that it is not possible to override the destination path for the file. | cwe-434 cwe-616 cwe-22 | |
| use the nosniff header for uploaded content | When hosting user uploaded content which can be viewed by other users, use the X-Content-Type-Options: nosniff header so that browsers do not try to guess the data type. Sometimes the browser can be tricked into displaying the data type incorrectly (e.g. showing a GIF file as HTML). Always let the server or application determine the data type. | cwe-430 | |
| Validate the source of input | The source of the input must be validated. For example, if input is expected from a POST request do not accept the input variable from a GET request. | cwe-20 cwe-346 | |
| use the X-frame- options header | Use the X-Frame-Options header to prevent content from being loaded by a
foreign site in a frame. This mitigates Clickjacking
attacks. For older browsers that do not support this header add
framebusting Javascript code to mitigate Clickjacking (although this
method is not foolproof and can be circumvented).
Example: Flash camera and mic hack (http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html) | caPec-103 cwe-693 | |
| use content security Policy (csP) or X-Xss- Protection headers | Content Security Policy (CSP) and X-XSS-Protection headers help defend against many common reflected Cross-Site Scripting (XSS) attacks. | cwe-79 cwe-692 | |
Access Control
| Best Practice | Description | CWE ID | |
|---|---|---|---|
| apply access controls checks consistently | Always apply the principle of complete mediation, forcing all requests through a common security “gate keeper.†This ensures that access control checks are triggered whether or not the user is authenticated. | cwe-284 | |
| apply the principle of least privilege | Make use of a Mandatory Access Control system. All access decisions will be based on the principle of least privilege. If not explicitly allowed then access should be denied. Additionally, after an account is created, rights must be specifically added to that account to grant access to resources. | cwe-272 cwe-250 | |
| don't use direct object references for access control checks | Do not allow direct references to files or parameters that can be manipulated to grant excessive access. Access control decisions must be based on the authenticed user identity and trusted server side information. | cwe-284 | |
| don't use unvalidated forwards or redirects | An
unvalidated forward can allow an attacker to access private content
without authentication. Unvalidated redirects allow an attacker to lure cwe-601victims into visiting malicious sites. Prevent these from occurring by
conducting the appropriate access controls checks before sending the
user to the given location. Source:Sans | ||
