I just wrote one of my first web applications (Linux, Apache, MySQL, Django), and would like to launch it publicly. It's a webform-based task disguised as a game; I intend to eventually put it on Amazon Mechanical Turk and give small bonuses to people who achieve certain scores.
Even though this app does not have a tremendously high security risk, I need to safeguard it against manipulation and reverse engineering. However, I have little formal training in testing/security. Given that there are tangible prizes to be won, I know people will have an incentive to cheat, whether by altering POST data, pressing "back" and re-submitting data until they win, etc. So far, I have been dealing with these issues on an ad-hoc basis by putting in security tests as I think of possible exploits. However, I realize there are probably lots of forms of manipulation that I haven't thought of yet.
Can anybody recommend some reading materials from which I can learn how to protect my website against manipulation and reverse engineering?
A very good place to read up is OWASP; see http://www.owasp.org/index.php/Main_Page. They have extensive documentation regarding website security.
Edit: For a quick overview, check the "Top Ten."
The Google Browser Security Handbook has a lot of information about potential vulnerabilities in the web architecture, in particular the details that are affected by the behavior of web browsers (as opposed to server based vulnerabilities, like SQL injection attacks and the like). It is a good starting point for learning about how browsers work in ways that impact security, like how they handle cookies, cross domain requests, images and MIME types, etc.
SQL Injection
Prevent malicious users from altering SQL queries via URL query strings.
DoS Attacks
Prevent users from the same IP address from accessing your site an excessive number of times in a small space of time.
Password Strength
When allowing users to create their own passwords, show a password strength indicator which encourages users to enter stronger passwords.
Captcha
Stop non-human users from submitting to forms by presenting a captcha image. You may also want to use this if password authentication is failed multiple times, to prevent robots from guessing passwords.
One book I might recommend is "Security Engineering" by Ross Anderson. It's fairly detailed and it gives a good overview of many different topics relating to computer security, although not all of it is relevant for securing a website.
Related
I'm building a website www.example.com. I want to implement an affiliate program: when a non-signed-in user enters https://www.example.com/?af-code=affiliateA in his browser (e.g., Chrome), we plan to write affiliateA in e.g., localStorage of the browser, such that we always know this user comes from affiliateA, no matter which url of our website he visits later.
But it seems that localStorage of Chrome is not accessible to IE on the same machine, and vice versa.
My question is whether there is a mechanism (e.g., localStorage, sessionStorage, cookie) to permit of sharing among all the browsers of a user.
It's quite difficult to proove that something doesn't exist. But if we'll take this for a complete list of Web APIs (which I hope it is), then you'll see there different APIs for dealing with data storage 1, 2, ..., even a File and Directory Entries API, but all of them are local for a browser.
But your task is actually not in sharing data between browsers, but to identify a user. And that can be done. But only with some probability and a lot of effort.
For that you can gather different peaces of information about user's device (like screen size, dpi, network condition, etc.), and they will be more or less the same on the same device in a different browser. Also you can use other peaces of information on the server (client IP, simultaneous sessions, when both browsers are open, action patterns, etc.). But it's not an easy task.
And to add to the complexity of it:
One device can be used by many users.
One user usually has many devices.
And in no way you can identify a user on different devices without resorting to full-blown spying techniques.
But, there are trackers out there, like Google Analytics and you can even fin open-source projects. So setting it up on your site can be (still probabilistic) answer to you question.
Can't recommend any - never used them.
This isn't really a technical question, but say you've developed an app for commercial use. If you get questions pertaining to the security of your app from a person who isn't necessarily technically well-versed, saying that you've taken standard security measures like encryption of passwords, protection of routes, secure database connection etc. won't have much meaning to people who don't understand what these terms mean. With that in mind, is there any way to show/prove more generally that your app is secure e.g. is there a certification from AWS for example, that will show clients that your app can be trusted?
For a security aware client, to gain assurance that your software is reasonably secure, you should be able to present the secure development lifecycle that was in place during development and resulted in secure software. Because that is really the only way to gain that assurance.
A secure sdlc includes elements like developer security awareness/education to know about and be able to avoid security issues. It includes feature reviews, security architecture and code reviews during development, static scanning (sast), dynamic scanning (dast), or more recently iast, it also includes penetration testing, and in case of SaaS, also secure operations, configuration management, log management, devsecops.
You simply cannot get this level of assurance afterwards.
You can have some elements of it though.You can run a static scan, you can buy a penetration test, you can show how you deal with security issues and so on. In many cases, that's actually good enough, but be aware that really secure software is not only this.
We want to track users when they visits our competitor websites.
Suppose the user visits a.com(our site) and then visits b.com and c.com (our competitors) , we want to know the user has visited those sites. Is there a way to track this without using plugins like chrome extensions.
I know there is limitation in cookies. Is there a way to do this?
Thankfully, no.
From time to time accidental mechanisms to leak such information become known (such as, at one time, it was possible to inspect link styles to see if it's visited). Such things are regarded as serious security breaches and are swiftly eliminated by browser vendors.
Basic web security principles isolate the interaction with unrelated domains, unless both web pages willingly try to talk to each other. Furthermore, if a user visits your site first and the closes it, their interaction with you is finished - in no sane scenario would you be able to know what they do atferwards.
Not to mention the obvious fact that what you're asking is just plain highly unethical.
Unless you can get your competitors to give you access to their websites, either through include scripts or indirectly if you manage to track users through ad-networks or Facebook pings, it's not possible. You cannot access (should not be able, in any case) cookies set by another domain.
Some browsers allow access to the previously visited URL through document.referrer -- but that is not guaranteed to work, nor is reliable. In short, there's no way of doing it targeted.
Not being able to easily track people is a good thing; but it makes constructions like the on you are wanting a lot harder.
I am working on a web project and I want to (as far as possible) handle user data in a way that reduces damage to the users privacy in case of someone compromising our servers/databases.
Of course we only have user dat'a that is needed for the website to do it's job but because of the nature of the project we have quite a bit of information on our users (part of the functionality is to apply yourself to jobs and sending your cv with it)
We thought about encrypting/decrypting sensitive data with a private/public keypair of which the private key is encrypted with the users password but found some security and implementation problems with that :P
the question is how do you implement user privacy and a protection against data theft on centralised web sever with browser compatible protocols while for functionality it is required that users can exchange sensible data?
To give some additional insight: this project is not yet in production stage so there is still time to make things right.
we are already doing some basic stuff like
serving https
enforcing https for sites that may handle sensitive data
hashing salted passwords
some hardening of our server and services on it
encrypted harddrives to prevent someone from reading all client information after stealing our servers / harddrives
but that's about it, there is besides the password hashes no mechanism that would stop/at least make it harder for someone who managed to get into (part of) the server to gain all data on all our users. Nor do we see a way to encrypt user data to disable our self from reading them as we need the data (we wouldn't have collected it otherwise) for some part of the website / the functionality we want it to provide. Even if we for example managed somehow (maybe with some javascript) that all data would get to us encrypted (by the client's browser) and we serve the client his privatekey encrypted with some passphrase (like for example his login password) we could not for examle scan user uploaded files for viruses and the like. On the other hand would a client side encryption at least with the browser/webserver concept leave some issues with security at least as we imagine it (you are welcome to prove me wrong) and seems quite like reinventing the wheel, and maybe as this project is not primarily about privacy, but rather privacy is a prefarable property we might not want to reinvent the wheel for it. I strongly believe I am not the first webdeveloper thinking about this, am I? So what have other projects done? What have you done to try to protect your users data?
if relevant we are using django and postrgreSQL for most things and javascript for some UI
The common way to deal with this issue is to split (partition) your data.
Keep minimal data on the Internet-facing web server and pass any sensitive data as quickly as possible to another server that is kept inside a second firewall. Often, data is pulled from the web server by the internal secure server to further increase security. This is how banks and finance houses handle sensitive data from the internet (or at least they should). There is even a set of standards (PCI) that cover the secure handling of credit card transactions that explain all of this in mind-numbing detail.
To further secure the internal server, you can put it on a separate network and secure physical access to it. You can also focus other security tools on it such as Data Loss Protection and Intrusion Protection.
In addition, if you have any data that you don't need to see in the clear, use a client-side encryption library to encrypt it locally. There are still risks of course since the users workstation might be compromised by malware but it still removes risks during data transmission and from server storage risks. It also puts responsibility onto the user rather than just on to your central servers.
You already seem to be a long way ahead of most web developers in ensuring that your customers are kept safe and secure. One other small change it would be worth considering would be to turn on enforced HTTPS for all transactions with your site. That way, there is very little chance of unexpected data leakage such as data being unexpectedly cached.
UPDATE:
Client side encryption can help a lot since it puts the encryption responsibility on the user. Check out LastPass for example. Without doing the encryption client-side, you could never trust the service. Similarly with backup services where you set your key locally so that the backups can never be unlocked by someone on the server - they never have the key.
Partitioning is one of the primary methods for enterprises to secure services that have Internet facing components. As I said, typically, the secure server PULLs data from the less secure one so the less secure server can never have any access to anything more secure even if fully compromised. Indeed there will be a firewall that prevents any traffic from the DMZ (where the less secure service is located) getting to the secure network. Only connections from the secure side are allowed through and they will be tightly controlled by security processes. In a typical bank or other high security setting, you may well find several layers like this, each of which having separate security controls, all partitioned from each other enforcing separation of data and security.
Hope that adds some clarity. Continue to ask if not!
UPDATE 2:
Even for simple, low cost setups, I would still recommend partitioning. For a low cost version, consider having two virtual servers with the dedicated firewall replaced by careful control of the software firewall on the more secure server. Follow the same principals outlined above for everything else.
Web services and web APIs have managed to increase the accessibility of the information stored and catalogued on the internet. They have also opened up a vast array of enterprise power functionality for smaller thin client applications.
By taping into these services developers can provide functionality that would have taken them months perhaps years to set up. They can combine them into single applications that make life generally easier for its users.
Whether displaying information about the music being played, finding items of interest in the locale of the user or just simply tweeting and blogging from the same application - the possibilities are growing everyday.
I want to know about the most interesting or useful services that are out there, especially ones that most of us may not have heard about yet. Do you maintain an API or service? or do you have a clever mash up that provides even more benefits than the originals?
YQL - Yahoo provide a tool that lets you query many different API's across the web, even for sites that don't provide an API as such.
From the site:
The Yahoo! Query Language is an
expressive SQL-like language that lets
you query, filter, and join data
across Web services.
...
With YQL, developers can access and
shape data across the Internet through
one simple language, eliminating the
need to learn how to call different
APIs.
The World Bank API is pretty cool. Google uses it in search results. My favourite implementations are the cartograms at worldmapper.
(source: worldmapper.org)
It's very niche, but I happen to think the OpenCongress API is amazing.
Less niche: Google Translate has an API which will guess the language of something. You'd be AMAZED how frequently this comes in handy (even though it's not as tweakable as you'd like and is not trained on small samples).
I was just about to have a stab at using the SoundCloud API
I know many people who already use for sharing their musical masterpieces and its a pretty good site. Hopefully the api will be as well!
I like the RESTful API for weather.com. It's free and very useful for the new age of location-aware apps: https://registration.weather.com/ursa/xmloap/step1
It does require registration, but they don't spam you or anything - it's just to provide you a key to use the API.
Ah yes - here's another one I've been meaning to check out but haven't tried yet
The BBC offer a bunch of apis/feeds that look very promising
http://ideas.welcomebackstage.com/data
They include apis for accessing schedule data for both TV and Radio listings along with all kinds of news searches. It even looks like they'll be offering some sort of geo-location service soon so it will be interesting to see what that has to offer
Another interesting one for liberal brits! ;)
The Guardian news paper have their own api
http://www.guardian.co.uk/open-platform
MuiscBrainz
Excellent service for music mashups.
Not so many knows that Last.FM initial database was scraped from this service.
The United States Postal Service offers a web service that does address standardization. Quite useful in reducing clutter and cleaning data before it gets put into your database.