VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us
 

Web Application Security Services

   

 

    VESARiA's security analysis of the web application (see Case Study) identified these five critical areas:

Input Validation

    The web application did not sufficiently validate user input.  In part, it relied upon client side JavaScript validation, which can be bypassed by an attacker.  This is an example of trust (a forbidden word in computer security).  This lack of validation further opened the door to input manipulation attacks.  Fortunately, the database behind the web application was deployed in a secure fashion, making the infamous SQL Insertion Attack largely impotent.  Nonetheless, construction of rigorous input validation was VESARiA's top concern.

    VESARiA helped the company implement a rigorous and redundant input validation scheme.  First, each source of external data was identified: forms, cookies, HTTP headers, even SQL queries.  For each data source, a minimal acceptance - the most restrictive definition of acceptability that includes all legitimate data - was defined for each variable.  Any variable that was outside this minimal acceptance was rejected from the moment it entered the web application.  To enhance redundancy, all critical operations were wrapped in an on-the-fly security check before execution.

Session Management

    The web application relied partially on hidden form variables to keep track of state.  This opened the door for user manipulation.  Based on VESARiA's recommendation, all hidden form variables were eliminated, and replaced with a complete session state record local to the server.

Access Control

    Mechanisms to prevent access to files intended for internal use were instituted.

Information Leakage

    Verbose error messages are useful to programmers.  Unfortunately, they are even more useful to attackers.  All specific error messages were replaced by a generic one.

Cryptography

    The application used SSL to communicate securely with other servers.  Although the cryptography itself was strong, the code that made the SSL connections did not sufficiently validate the certificates used by the other servers, and was thus vulnerable to certificate forging and man-in-the-middle (MITM) attacks.  Proper validation of SSL certificates is difficult and intricate: it was therefore decided that it be handled by VESARiA's staff, and not the companies own programmers.  VESARiA wrote code to perform the validation, and this code was added to the web app.

Vesaria, LLC

 
© 2000 - 2017 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact