Web Security Tips For Beginners
I am going to explain the very basic security issues and solutions for the beginners while creating a web application.For E.g.: We have two types of users Admin & members. All pages related to admin is present inside the folder named admin... "www.mysite.com\admin\" and all members’ specific pages are Present inside members folder... "www.mysite.com\member\" Handling some master records like Products etc... in the Database.
Authentication
The Authentication is based on your UserId saved inside your session (or token in a little advanced authentication) or some times in cookies, what ever the UserId must be present. Each and every page must have an authorization check in the page load event, and if session is ended you need to redirect to the login page. This Check is not only for !IsPostBack because page may be posted after a long time and your session may be ended with in this time. The URL to redirected after Login can be saved in either session or by Passing as a Query String with URL-Encoded form, after successive login you can redirect to this location. One thing better you save the full URL instead of saving the Page Name only.Authorization
The Autorisation is the checking that whether the user have right permission to requested resource or use the resource , the resource mentioned here is not only the page but also the data manipulated using this page. Here all the pages inside admin folder must be accessible only for the admin users. If the member user login in and try to access the admin pages then the request bust be denied .so the user type checking is one of the authorization method.Security Issues
Query String & SecuritySuppose you have a page which is used to edit any master record like product and you are passing the product id through QueryString it is easy to access any product by any user, Just by changing the id in the query-String and can make changes .It is simple To prevent this situation by changing the select criteria in SQL, just use a UserId check in the SQL (your UserId will present in the session or where it is saved ) i.e. “select * from produt where ProductID=@ProductID and UserId=@UserId " so one user can't access the Other user's resources. This Issues is not only for Query String(Request Paramerters) but also for all type of parameters like posts like combo-Box , Text-Box etc.. So user UserId checking along with all data manipulation Queries because Hackers have many options to access these resource with in the http protocol.
Upload & Security Issue
If you are providing file system for the users i.e. user can upload any file in to their own folder the you have to strictly check the extensions allowed. Because if the application in asp.net your users may upload an aspx file which contain codes to damage or hack your server and they can call this page through the browser’s if you are allowing the user to upload to an open site folder then extension check must be done (not only for asp but for all server side scripting page extensions like (php, jps , or any server side executable extension).UserId & Security No
If you are saving user information, like UserId inside the cookies , instead of session. Then the UserId must be encrypted. And /Or use a security Checking No like a random no along with the UserId, which must be saved in the data base and need to cross check. E.g.:(UserId=1 & securityNo=34345243545) ,(UserId=2 & securityNo=23847223), (UserId=3 & securityNo=6767546).. etc.
The benefit of using this mechanism is that if any resource can access using a security hack can be prevented for multiple users. the security no is generated and saved along with user creation with in the table (do not confused with security No & Password both are different Security No is almost hidden from user it is an auto generated No). It is widely used in open Request & accepts Procedure like friends Request.
These are some of the security tips for beginners while creating a web application with any type of server side scripting languages.