How to Prevent Web Coding Vulnerabilities
Scripting development errors often let intruders gain unauthorized access to websites. They enter through invalid URL session IDs and by intercepting user inputs, where client cookie sessions can be read. Browser-executed foreign scripting components sent within a trusted source are another way attackers make good use of web coding vulnerabilities. To cut down on vulnerabilities, use a strategic approach that implements a variety of methods.
Other People Are Reading
Instructions
-
-
1
Reject a link or host if the HTTP referer field in the user-submitted form or link doesn't match the source URL.
-
2
Limit the maximum length of user-supplied strings. Truncate responses that exceed the maximum response length. Check strings at both the client-side and server-side.
-
-
3
Forbid <OBJECT>, <EMBED>, and <SCRIPT> content to be submitted. Remove all "getURL()" fields that contain references outside of the current application. Use "HTTP POST" instead of "HTTP GET" to prevent attackers from sending URLs with bad code.
-
4
Check and filter persistent cookies before placing them into HTML documents; otherwise, persistent cookies, which store user information, can easily be modified by attackers.
-
5
Control and shorten the session ID timeout so that an attacker won't have time to discover CSS flaws. This way, a valid session ID must be used for re-entry. The session ID should be limited to the start or home page on the site. An automatic redirection to the start or home page should result from an attacker trying to enter through another page.
-
6
Handle special characters differently by encoding the output. For example, if a client data submission is complex, encode the results sent back to the client. The beginning HTML tag "<" could be encoded as "<," for example. This would appear as the beginning tag to the user, not to the client application.
-
7
Use Positive Input filtering. Reduce the risk of including characters that may be exploited by consistently filtering from a set of characters that are known to be safe. Take a form field for a user's age, for example. The character set should be limited to digits from 0 through 9. Other special characters or letters should not be accepted. The digits represent a safe set of numbers in Positive filtering for the form field.
-
8
Use Output filtering to send the results data for special characters from the server-side application before sending it to the client-side web browser. Content that wasn't filtered may be stored by system processes, or other applications could have been added by a user. This is especially true if data was retrieved from a database or a storage format.
-
1
Tips & Warnings
Take caution when using Output filtering. Premature filtering of the HTML "<" less than and ">" greater than tags may render client documents unreadable. That method works best when the special character filtering is limited to the user supplied data that has been previously stored in the database.
