Improving Web Application Security Threats and Countermeasures Forewords by Mark Curphey, Joel Scambray, and Erik Olson Improving Web Application Security Threats and Countermeasures patterns & practices J.D. Meier, Microsoft Corporation Alex Mackman, Content Master Srinath Vasireddy, Microsoft Corporation Michael Dunner, Microsoft Corporation Ray Escamilla, Microsoft Corporation Anandha Murukan, Satyam Computer Services Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BizTalk, IntelliSense, MSDN, Visual Basic, Visual C#, Visual C++, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. © 2003 Microsoft Corporation. All rights reserved. Version 1.0 6/30/2003 The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents Forewords xliii Foreword by Mark Curphey .....................................................................................xliii Foreword by Joel Scambray .....................................................................................xlv Foreword by Erik Olson .......................................................................................... xlvi Introduction xlix Why We Wrote This Guide .......................................................................................... xlix What Is a Hack-Resilient Application? .............................................................................l Scope of This Guide.....................................................................................................li Securing the Network, Host, and Application ..............................................................li Technologies in Scope............................................................................................. lii Who Should Read This Guide....................................................................................... lii How to Use This Guide ............................................................................................... liii Applying the Guidance to Your Role ......................................................................... liii Applying the Guidance to Your Product Life Cycle...................................................... liv Microsoft Solutions Framework ................................................................................ lv Organization of This Guide ........................................................................................... lv Solutions at a Glance.............................................................................................. lv Fast Track............................................................................................................... lv Parts..................................................................................................................... lvi Checklists .............................................................................................................lvii “How To” Articles..................................................................................................lviii Approach Used in This Guide .....................................................................................lviii Secure Your Network, Host, and Application ............................................................lviii Focus on Threats ................................................................................................... lix Follow a Principle-Based Approach............................................................................ lx Positioning of This Guide ............................................................................................. lx Volume I, Building Secure ASP.NET Applications ........................................................ lx Volume II, Improving Web Application Security .......................................................... lxi Feedback and Support ...............................................................................................lxii Feedback on the Guide...........................................................................................lxii Technical Support ..................................................................................................lxii Community and Newsgroup Support ........................................................................lxii The Team Who Brought You This Guide .......................................................................lxiii Contributors and Reviewers ...................................................................................lxiii Tell Us About Your Success........................................................................................ lxiv Summary ................................................................................................................. lxiv vi Improving Web Application Security: Threats and Countermeasures Solutions at a Glance lxv Architecture and Design Solutions...............................................................................lxv Development Solutions ............................................................................................. lxvi Administration Solutions.............................................................................................lxx Fast Track — How To Implement the Guidance lxxv Goal and Scope ....................................................................................................... lxxv The Holistic Approach...............................................................................................lxxvi Securing Your Network.............................................................................................lxxvii Securing Your Host..................................................................................................lxxvii Securing Your Application .......................................................................................lxxviii Identify Threats........................................................................................................lxxix Applying the Guidance to Your Product Life Cycle........................................................lxxxi Implementing the Guidance .....................................................................................lxxxii Who Does What? ...................................................................................................lxxxiii RACI Chart ........................................................................................................lxxxiii Summary .............................................................................................................. lxxxiv Part I Introduction to Threats and Countermeasures 1 Chapter 1 Web Application Security Fundamentals 3 We Are Secure — We Have a Firewall ............................................................................ 3 What Do We Mean By Security? ................................................................................... 4 The Foundations of Security..................................................................................... 4 Threats, Vulnerabilities, and Attacks Defined................................................................. 5 How Do You Build a Secure Web Application?................................................................ 5 Secure Your Network, Host, and Application .................................................................. 6 Securing Your Network................................................................................................. 7 Network Component Categories ............................................................................... 7 Securing Your Host...................................................................................................... 7 Host Configuration Categories.................................................................................. 8 Securing Your Application ............................................................................................ 9 Application Vulnerability Categories .......................................................................... 9 Security Principles..................................................................................................... 11 Summary ................................................................................................................. 12 Additional Resources ................................................................................................ 12 Chapter 2 Threats and Countermeasures 13 In This Chapter ........................................................................................................