Testing for security vulnerabilities in web applications: Best practices?

Jack picture Jack · Feb 28, 2010 · Viewed 21k times · Source

I'm developing a web application. Like, a proper one, I've used things like Joomla in the past to make awesome stuff but have now finally got my hands dirty with PHP, MySQL and CodeIgniter.

When you're making serious web apps that'll handle large amounts of data, what precautions should I take against my data inputs to fully sanitise it? I know there's the obvious trim, escaping, xss cleaning, etc - but what other techniques should I incorporate to stop injections into the database?

Not only that, but is there any non-destructive database injection code I can test all my inputs with? As in, it'll inject something visibile, but not actually do any harm to my test database? I'm not exactly a hacker and need a bit of guidance on this.

What other common methods do hackers use to either destroy or read user's data, and how can I check for this myself? I don't have the money to hire a security consultant since I'm only 16 but have good experience with computers and I'm sure I could pull off a few tricks if given some hints as to what they are.

I know that's a whole load of questions but to summarise, what do you do to make sure everything is 100% secure?

Answer

rook picture rook · Feb 28, 2010

SQL Injection and XSS are the most common mistakes that programmers make. The good news is that they are easiest to automatically test for, as long as you have the right software. When I am on a pentest I use Sitewatch or Wapiti for finding web application vulnerabilities. Acunetix is over priced.

But, you can't just fire off some automated tool and expect everything to work. There are a number of precautions you must take with ANY vulnerability scanner you choose.

1) make sure display_errors=On in your php.ini Sql Injection tests rely on being able to see mysql error messages in the response pages! No error, no vulnerability detected!

2) Scan the authenticated areas of your application. Create a user account specifically for testing. Acuentix has an easy wizard where you can create a login sequence. If you are using wapiti you can give a cookie to wapiti or give wapiti a post request to fire off but this is kind of tricky.

AFTER you have tested your application then test your server for misconfiguration. To test your server then you need to run OpenVAS which is the new more free version of Nessus which is now a commercial product. Then you should follow this up with PhpSecInfo. These tests will notify you of problems with your configuration or if you are running old vulnerable software.

Nothing will ever be 100% secure, EVER. No matter what you do there are vulnerabilities that will slip though the cracks. There are vulnerabilities in all development platforms that lead a compromises that no tool can test for. There are also bugs in the testing tools you use. There are false posties and false negatives and some tests that just don't work, a good example i have never seen an automated CSRF tool that actually finds legit vulnerabilities. Acunetix's CSRF test is a complete waste of time.

There is also the OWASP testing guide which goes into greater detail. This is not to be confused with the OWASP Top 10 which is also an excellent resource. The PHP Security Guide is also a great resource for php programmers.