Securing Web Applications
Since Web applications are usually exposed to potentially untrusted users, their developers should take extra care for securing them. The number one vulnerability on Web applications is putting too much trust in the clients/users. Clients might be malicious and pass unanticipated input to Web applications making them misbehave. If there is one main piece of advice, it is:
| Do not trust any user input ! |
|---|
This means checking the correctness of all data/values that come from the client site (script arguments/form fields, cookies, header fields like user-agent or referer etc.). They all need to be validated, and sanitized before being used. Additionally, when printing out user input values back to the client, or using them for accessing external systems like a database, these values need to be correctly escaped.
If you develop Web applications at CERN, you are strongly encouraged to attend (for free) "Developing secure software" course. The last part of the course is dedicated to Web application security: typical vulnerabilities are demonstrated, and ways to avoid them are discussed.
Some other materials worth having a look:
- Web Applications Security by Romain Wartel, CERN and EGEE/OSCT
- CSRF etc. by Andrew McNab, Univ of Manchester