Web Development & Design Security Overview

HM

Introduction

Knowing how the attacker thinks, what tactics they will employ, is your first defense against them.

This tutorial is merely an introduction to the upcoming series of tutorials. General information will be presented here along with some references for your own information. Also, I welcome any and all suggestions and comments in regards to specific security issues that I should cover in future tutorials. I can tell that it is an area of great concern by the number of postings already in the Website Security forum.

This series of tutorials will deal with Security from the Web Designer's standpoint. Developing the appropriate "Eye To Security" as an inherent part of the web design/development process should be the goal of all designers whether they are new or have been at it for a while. Having this security awareness and the ability to intelligently pass this information on to your clients will make your services that much more valuable and you more sought after by potential clients.

Attack Phases

Most attackers trying to gain access to your client's network will follow a methodical approach involving a series of steps. Be aware that there are a lot of security issues that are not from a dedicated single attacker but are from viruses, worms, malware, and various automated attack vectors. These will be the subject of their own tutorials.

Let's cover the phases of a standard attack to gain access to a network. The 5 phases of network penetration:

  1. Reconnaissance (public information, target research, developing a unique profile of the target)
  2. Scanning (one step farther along the information gathering path)
  3. Gaining Access (the attack begins, using vulnerabilities identified above)
  4. Maintaining Access (making sure that the system remains accessible)
  5. Covering Tracks (making sure no one knows)

A dedicated attacker with nothing but time on their hands and plenty of online resource material can break into and exploit virtually any system. As designers and developers, we can make security a part of our process, keeping ourselves and our clients informed.

Tutorial Subjects

Future tutorials will deal with the first two phases as they relate to the web designer/developer, specific web-based attack vectors, current web security vulnerabilities, and of course, suggested topics from members. Following are the topics that I currently have in mind.

Tutorial Topic: Footprinting (This tutorial will cover areas dealing with publicly available information, how to add a layer of obfuscation, and how to utilize this information to provide a layered defense for your clients by using this information as a first alert to potential attacks.)

The first two phases often referred to as "Footprinting", can take the most time. "Footprinting" is a systematic and methodical reconnaissance of a target to gain as complete a profile a possible of the organization, including potential vectors of attack. This is where the attacker will utilize several tools to gather information about the victim. Information leakage is the key here. When developing a site you must keep in mind what information about the target can be garnered from open and legal means. Some of this will be the developer's responsibility and some will be the client's. Here is your opportunity to guide your client's decision-making and show off your security knowledge.

Tutorial Topic: Platform Specific Web Attacks (This tutorial will cover some webserver platform specific attacks.)

Although this is not necessary the responsibility of the web designer/developer, more the responsibility of the system administrator, knowledge of these attack vectors will allow you to properly inform your clients and expand your security knowledge base.

Tutorial Topic: HTML Vulnerabilities (This will cover a wide range of HTML-related attacks.)

Server-side requests, web server interactions in general and HTML attack vectors will be covered in this tutorial. One of the key areas stressed in this tutorial will be validation. Information coming from the server, known information, does not need to be validated. information coming from elsewhere does. Form and information request validation is key when coding in pure HTML. Buffer overflows, remote code execution, among others, will be covered here.

Tutorial Topic: PHP Vulnerabilities (This will cover several PHP-related attacks.)

From the response so far in the Website Security forum I believe this will be a hot topic and may branch off into several specific sub-topics and tutorials. Some of the same issues from the HTML tutorial will be covered as they relate to PHP as well as PHP-specific vulnerabilities.

Tutorial Topic: SQL Injection (Since this is such a common attack vector this will receive its own tutorial.)

When developing a website with database connectivity extra care must be made in the coding process. You are creating a direct link to the client's database and as such can create an easily exploitable attack vector. Some common pitfalls and coding errors will be covered here along with many suggestions as to how to avoid SQL Injection vulnerabilities.

Tutorial Topic: Cross-Site Scripting Attacks (XSS attacks are a common attack vector.)

XSS attacks can allow for hijacked accounts and sessions, cookie theft, misdirection, and other exploits. These vulnerabilities are directly related to website coding and the designer needs to be fully aware of the common methodology for exploiting these vulnerabilities. These vulnerabilities are very common when developing web businesses that sells online.

Conclusion

Well, that is the list of Tutorials for the future. Below you will find some recommended reading as well as some helpful links. I also recommend that you check out the Website Security forum here at OZZU and don't be afraid to ask members for assistance. I gladly welcome any and all suggestions and will do my best to answer any questions you have. I hope that you will enjoy this series of tutorials.

Herman M. Sims

Recommended reading:

Pro PHP Security, Apress, https://www.apress.com/us
The Web Application Hacker's Handbook, Wiley, https://www.wiley.com/en-us
Web Security Testing Cookbook, O'Reilly, https://www.oreilly.com/

This page was published on It was last revised on

Contributing Authors

HM
BW
0

2 Comments

  • Votes
  • Oldest
  • Latest
MI

mico

0 0
Commented
Updated

umm... i'm sorry for the reply, but... i've been checking this thread for times but still, i cant find the tutorial.....?

add a comment
0
HM

hmsims

0 0
Commented
Updated

sorry about the confusion. I have not been able to continue with the tutorials as I had originally planned. I've been out of the field for a while now and have been too busy to continue. I would very much appreciate another member being able to take this series and running with it. Sorry for any inconvenience.

add a comment
0