How to protect your web application: basic tips, tools, useful links

TIPS FOR PROTECTING WEB APPLICATIONS FROM HACKERS

  • OpenVAS scans network nodes for vulnerabilities and allows them to manage vulnerabilities.
  • OWASP Xenotix XSS Exploit Framework scans the resource for XSS vulnerabilities.
  • Approof from Positive Technologies checks web application configuration, scans for vulnerable components, unprotected sensitive data, and malicious code.

ONLINE SERVICES

  • SecurityHeaders.io checks for the presence and correctness of server response headers responsible for web application security.
  • Observatory by Mozilla scans the resource for security problems. In addition to its results, when selecting the appropriate option, it collects and adds analytics from third-party security analysis services to the report.
  • One button scan scans for vulnerabilities components of the resource: DNS, HTTP headers, SSL, sensitive data, used services.
  • CSP Evaluator checks the correctness of content security policy (CSP) and XSS resistance.
  • SSL Server Test performs web server SSL configuration analysis.
  • ASafaWeb checks for common configuration vulnerabilities in sites written in ASP.NET.
  • Snyk scans JavaScript, Ruby, and Java applications for vulnerabilities and fixes security issues if needed. It integrates with the GitHub repository for automatic scanning and alerts about found vulnerabilities.

PROTECT USER DATA WITH HTTPS

UPDATE THE SOFTWARE

PREVENT SQL INJECTIONS

PREVENT CROSS-SITE SCRIPTING

CHECK AND ENCRYPT PASSWORDS

CONTROL THE FILE DOWNLOAD PROCESS

WAYS TO RESTRICT ACCESS:

  • rename or change file extensions at upload;
  • change permissions, for example, to chmod 0666;
  • create a .htaccess file (see example below) that will only allow access to specified file types.
  1. Set up a firewall, including blocking unused ports.
  2. If you have access to the server from the local network, create a demilitarized zone (DMZ), allowing access from the outside world only to ports 80 and 443.
  3. If you do not have access to the server from the local network, use protected methods (SFTP, SSH, etc.) to transfer files and manage the server from the outside.
  4. If possible, allocate a separate server for databases, which will not be directly accessible from the outside world.
  5. Restrict physical access to the server.

KEEP TRACK OF ERROR MESSAGES

CHECK INCOMING DATA

ALLOCATE ACCESS RIGHTS TO FILES

  • “Read” (4) — read file content;
  • “Write” (2) — change of file content;
  • “Execute” (1) — program or script execution.
  • “Read” (4) + “Write” (2) = 6;
  • “Read” (4) + “Write” (2) + “Execute” (1) = 7.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store