The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Do’s and Don’ts

for web application developers

24/04/23

OWASP Scotland

IntroductionThis slide pack has been created to highlight common secure web application development best practise efforts, but also detail where and how coding errors are made and how they can be avoided.

Do’s and Don’ts examples throughout the slide pack have been grouped by vulnerability categories. This is not an exhaustive list, but these slides and the included document references in the speaker notes should serve as a very good starting place for creating secure web applications.

We do recommend you join your local Open Web Application Security Project (OWASP) chapter to develop your secure coding practises and foster application security in general: https://www.owasp.org/index.php/Category:OWASP_Chapter

Unvalidated InputInformation from web requests is not validated before being used by a web application. Attackers can use these flaws to attack users and backend components through a web application. This includes Cross Site Scripting, Buffer Overflows and Injection Flaw vulnerabilities.

Unvalidated InputDo1.Assume all input is malicious.2.Validate everything – inspect what is

expected, and reject anything unexpected.3.Accept only “Known Good” characters. 4.Ensure input is validated server-side.5.Validate parameters against a "positive"

specification, limiting input permitted to characters appearing in a whitelist.

6.If possible, implement an exact match validator.

7.Check input value range to make sure that the data lie within a specified range of values.

8.Perform validation on every tier.9.Centralise the validation code.10.Use an input validation framework such as

the OWASP ESAPI Validation API.11.Repeatedly decode and normalise (i.e.

canonicalization) until input == output.

Don't 1.Rely on client-side data validation.2.Trust anything a user or other process

sends to the application.3.Rely on a blacklists.4.Validate data before it has been filtered.5.Accept null or empty input in non-

optional input fields.6.Validate input before it is canonicalized.

Broken Access ControlRestrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorised functions.

Broken Access ControlDo1. Implement Principle of Least Privilege 2. Perform access control validation to check that a

user is authorised to perform a task upon every user request.

3. Think through the application’s access control requirements and capture the web application security policy.

4. Use an access control matrix to define the access control rules.

5. Centralise access control routines. 6. Use built-in platform or framework authorisation

facilities.7. Clearly document the site’s access control policy as

part of the design documentation. The policy should document what types of users can access the system, and what functions and content each of these types of users should be allowed to access.

8. Use multiple mechanisms, including HTTP headers and meta tags, to be sure that pages containing sensitive information are not cached by user’s browsers.

Don't 1. Rely on not displaying certain functions

which the users do not have authorisation to use.

2. Implement authorisation controls by including a file or web control or code snippet on every page in the application.

3. Use custom or write your own authorisation code.

4. Perform authorisation checks at or near the end of code implementing sensitive activities.

Broken Authentication and Session Management

Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.

Broken Authentication and Session Management Do

1. Enforce strong and complex passwords on users by using known and proven password generation methods/frameworks.

2. Only store ‘salted’ passwords using a computationally expensive one-way hash algorithm (i.e. bcrypt or PBKDF2).

3. Limit session lifetime for both inactivity (e.g. 5min or business/design requirement) and hard-limit.

4. Upon log-out, authorisation failure and session timeout destroy the session and overwrite the session cookie.

5. Session identifier / cookie should not be predictable. Rely on a leading web frameworks for token generation.

6. Check if the session is valid prior to servicing any user requests.

7. Assign users a new session ID upon successful authentication.

8. Use secure channel (e.g. SSL) to transport cookies.9. If possible, conduct all traffic over HTTPS. 10.Verify that the ‘secure’ directive/flag is set on the

cookie so they are not served over non-SSL tunnels.

Don't 1. Store passwords in cleartext.2. Develop a custom session identifier.3. Pass session Identifiers using a HTTP

GET with the session ID in the query string.

4. Implement “remember me” functionality.

5. Reuse session IDs for HTTPS transport that have once been used over HTTP.

Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

Improper Error Handling Do1.Catch every potential exception in the

application code.2.Assure that the application fails safely

under all possible error conditions.3.Use a generic error page for all

exceptions containing no sensitive data. Where required by the user, display a custom error reference in the generic error page.

4.Document when exceptions occur.5.Consider expiring user’s session and lock

out the user where severe exceptions occur; and notify the administrator.

6.Study and understand how the order of error handling events work in the chosen development language to understand the error strategy of the application.

Don't 1.Use default error pages.2.Display sensitive information/data such

as stack trace, line number where the error occurred, class name, method name, paths on the local file system or any internal system information in the error messages.

3.Include people’s names or any internal contact information in the error messages.

Information LeakageExcessive or unnecessary information disclosure.

Information LeakageDo1. Transmit sensitive information via the

body of a POST request.2. Proper Error Handling (see A4)3. Examine the data logged to determine if

any sensitive information is being stored in the logs (e.g. userID, passwords).

4. Review and remove, where possible, redundant, readable and downloadable files on a web server, such as old, backup and renamed files.

5. Disable Autocomplete using AUTOCOMPLETE=OFF attribute for form fields containing sensitive information.

6. Only store the session ID in the cookies.

Don't 1.Transfer sensitive data using the GET

method.2.Disclose sensitive data in the source

code comments that an attacker may gain access to.

3.Include elements, such as technical or other sensitive information, within response data that could aid an attacker.

4.Return messages to a user that could aid a compromise. In particular, certain messages such as “User does not exist” allow an attacker to enumerate valid user names.

5.Cache pages containing sensitive information on the local machine.

6.Reveal information about directories within robots.txt files.

Application Denial of ServiceAttackers can consume web

application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

Application Denial of ServiceDo

1. Limit the resources allocated to any user to a bare minimum.

2. For authenticated users, establish quotas so that the amount of load a particular user can put on the system is limited.

3. Split resource hungry tasks into smaller manageable tasks.

4. Consider imposing a time limit between subsequent requests for resource hungry tasks.

5. Prevent attackers from being able to permanently lock-out accounts by making sure users can unlock locked accounts in a safe manner such as sending a user a password reset link to the users registered email address.

6. Where file upload functionality is implemented, limit file upload sizes and number of allowed files.

7. Load testing.8. Store logs on a separate file system and transfer

them to a separate machine if possible.9. Think about whether attacker controlled data ends up

in a hash table, if so use data structures such as treemaps to avoid hash collision DoS unless the framework used protects against this.

Don't 1. Avoid resource intensive functions

where possible.2. Allow users to have unlimited resources

and quotas allocated to them.3. Allow users to upload large files.4. Create an account lock-out mechanism

that difficult for the user to unlock and requires administrative resources etc.

5. Use non-randomised hash functions for attacker controlled data.

Default Install, Poor Configuration and Patch Management

Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.

Do1. Define, document and implement the security

configuration for the deployed application frameworks (e.g., Struts, Spring, ASP.NET), application server, web server, database server, and platform.

2. Define a process to keep all software up to date including all code libraries used by the application.

3. Restrict access to administrator interfaces to users that require access by for example IP address.

4. Disable/change default passwords.5. Disable/remove anything unnecessary (e.g. ports,

accounts, services, pages, privileges, frameworks, add-ons).

6. If SSL is used, there are potential security implications and best security practise should be followed to secure the service such as disabling SSL Service Support for "Weak" Cipher Suites.

7. Keep logs for substantial period of time to facilitate continuous monitoring and incident handling. Some incidents may be detected after weeks or months.

8. Protect cookies with the HttpOnly attribute/flag from the risk of a client side script accessing it.

Don't 1. Handover and leave the application

without having defined and documented the security configuration and process for keeping all related software up to date.

2. Leave the system in a default install state.3. Allow access to administration interfaces

from untrusted networks.4. Rely on other people to configure SSL,

should the application require it, in line with best practice.

Note: some of this above may be out of your control as a developer, but should be raised at handover and as part of the application documentation.

Default Install, Poor Configuration and Patch Management

OtherThis is a generic catch all for vulnerabilities that do not fit else where. Example

findings from past application security tests include:

1. Unfinished code.

2. Sensitive information (passwords, passphrases) found to be stored within the source code.

3. Use of dangerous functions.

4. Use of weak encryption algorithms in the source code (e.g. MD5 and DES).

5. Web application includes files from a third party.

6. Application does not display last unsuccessful login.

7. Application can be embedded in third party websites using IFRAMEs.

8. No search engine protection e.g. use of robots.txt or Meta Tags

Learn more on how to secure web applications

Essential reading for anyone developing web applications listed below.OWASP Developer’s Guide:https://www.owasp.org/index.php/OWASP_Guide_ProjectOWASP Code Review Guide: https://www.owasp.org/index.php/Category:OWASP_Code_Review_ProjectOWASP Secure coding practices quick reference: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide