VESARiA's security analysis of the web application (see Case Study) identified these five critical areas:
VESARiA helped the company implement a rigorous and redundant input validation scheme. First, each source of external data was identified: forms, cookies, HTTP headers, even SQL queries. For each data source, a minimal acceptance - the most restrictive definition of acceptability that includes all legitimate data - was defined for each variable. Any variable that was outside this minimal acceptance was rejected from the moment it entered the web application. To enhance redundancy, all critical operations were wrapped in an on-the-fly security check before execution.
The web application relied partially on hidden form variables to keep track of state. This opened the door for user manipulation. Based on VESARiA's recommendation, all hidden form variables were eliminated, and replaced with a complete session state record local to the server.
Mechanisms to prevent access to files intended for internal use were instituted.
Verbose error messages are useful to programmers. Unfortunately, they are even more useful to attackers. All specific error messages were replaced by a generic one.
The application used SSL to communicate securely with other servers. Although the cryptography itself was strong, the code that made the SSL connections did not sufficiently validate the certificates used by the other servers, and was thus vulnerable to certificate forging and man-in-the-middle (MITM) attacks. Proper validation of SSL certificates is difficult and intricate: it was therefore decided that it be handled by VESARiA's staff, and not the companies own programmers. VESARiA wrote code to perform the validation, and this code was added to the web app.
include('phone.php') ?> include('address.php') ?>
|© 2000 - 2018 Vesaria Network Security Specialists|
|Call Us at include('phone.php') ?>|