Security for Web Developers

Kinds of Security

• Availability: whether the web site is available when users want it. An attack that makes a site unavailable is called a Denial-of-Service attack.
• Integrity: whether an attacker can change the content or software on the web site. A site this has happened to is called 'hacked' or 'subverted'.
• Authenticity: whether an attacker can make his site look like yours, and thereby get users to divulge private info to him. Examples include 'spoofing' attacks and 'man-in-the-middle' attacks.
• Privacy: whether an attacker can find out things he oughtn't (like credit card numbers). Privacy is usually compromised by bad design or installation of a web application, but can also be compromised by attacks, including one called "purchase-key" attack, where the attacker simply bribes someone who works on the site. It is also often compromised by using applications like FTP, TELNET, or POP3, which send unencrypted passwords over the Internet.
• Safety: whether an attacker can destroy information on a user's computer. Active-X components, Javascript, viruses, and worms can all be used effectively to attack a user's computer. (Java is much safer.)
• Physical: whether an attacker can walk up to your computer and boot his own software on it.
• Malpractice: if you don't follow commonly accepted best security practices, you or your company could be liable for damages attackers caused to other systems using your computers!

Case Studies: How Sites Were Hacked

• A computer infected with the Hybris virus recently mailed an infected attachment supposedly from "[email protected]" to Webgrrls-LA members. The virus gives the virus author total control over infected computers. It even updates itself via the Internet periodically! This means infected computer are at risk of being used for just about anything: password sniffing (which would be a breach of privacy), launching Distributed Denial of Service attacks on other sites, or of having their web content or applications hacked (if the infected computer is a web server).
• One novice web designer I know used Front Page's bulletin board feature in 1999 to store credit card info. Not a good idea. I found the URL of the hidden board by doing "View Source" on his info entry page and guessing a bit, then called him up and read off a few credit card numbers. (An example of a site without effective privacy.)
• ZDNet's OpenHack Challenge - shows how even a relatively well secured site was hacked, and how you can protect yours. (An example of a site with bugs and poorly configured applications that together caused a loss of site integrity.)
• Distributed Denial-of-Service Attacks on Yahoo, Amazon, EBay, CNN, and others in 2000 - how hackers broke into hundreds of computers and used them a base from which to launch a massive denial-of-service attack on popular sites.
• Chasing the Wind - A game of cat and mouse between a system administrator and a script kiddie. Describes how script kiddies find vulnerable sites, and how network administrators at large sites try to track them down.

Advisories

• How the Microsoft Windows HTML help facility can be used by malicious emails or web sites to take over your computer (includes good instructions for avoiding this attack)
• How Windows Media Player 7, ActiveX, and Active Scripting can be used to take over your computer (Jan 1 2001)
• CNN's warning about Microsoft's Active Scripting (Nov 23 2000)
• VNUNet's note about expected DDOS attacks this holiday season and what to do - December 2000
• Microsoft's note about vulnerabilities in older versions of Outlook Express - July 2000
• Reflecting on the Year 2000 - a year-end review of anti-virus security news, from Kaspersky Lab.

Tools

• SSH is a protocol that replaces FTP and Telnet; it's a secure way to upload or download files or open a commandline shell session on your web server. You can find free SSH clients at www.openssh.com or www.freessh.org, and commercial versions at many places, for instance, www.ssh.com and vandyke.com.

Basic Security Checklist

• Secure your own workstation first! The server is only as secure as the workstations of all the people who are allowed to upload to it.
• If you're using Windows, disable Javascript, Active X, and Active Scripting in the Restricted Zone, and set Outlook/Outlook Express to use the Restricted Zone when reading email. See this CERT advisory (mirror site) for step-by-step instructions.
• If you're using Windows or Mac, get a good antivirus program that runs daily and keeps itself up to date.
• Turn off all unneeded network services. The most common unneeded service on Macs and PC's is file and printer sharing. See here and here for tips on how to turn that off.
• Don't use programs that send passwords in the clear. FTP (e.g. Fetch), Telnet, and email programs that use POP3 are common offenders. Secure alternatives exist; you can use SSH instead of FTP or Telnet. Not many ISP's support secure email protocols, though.
• Don't use the same password for different systems. Even if you're good, and use a secure protocol like SSH to upload to your web server, but your email program uses an insecure protocol like POP3, you can still get hacked if your passwords for mail and for the web server are the same.
• Don't run old versions of third-party packages on your web server! You need to stay up-to-date to avoid falling victim to attacks on known vulnerabilities.
• Learn more! Go find better security checklists, and follow them. Learn what attacks are common at the moment. See "Online Resources" below.

Online Resources

• The World Wide Web Security FAQ
• PC Security Basics by ZDNet
• Security Basics by Netscape
• Back End & Site Management by CNET; scroll down to "Security & Privacy"
• DSL Zone's security page

Advanced Online Resources

• www.securityfocus.com - click on "The Basics" for less advanced info
• Writing Secure Web Applications by Advosys Consulting
• Weaving a Web of Trust by Rohit Khare and Adam Rifkin
• Secure Computing with Java

Books

• "Web Security & Commerce" -- by Simson Garfinkel with Gene Spafford
  • Chapter 1: The Web Security Landscape
• "Practical UNIX & Internet Security -- by Simson Garfinkel with Gene Spafford
  • Appendix A: UNIX Security Checklist
• Securing Windows NT/2000 Servers for the Internet - A Checklist for System Administrators, by Stefan Norberg
  • Chapter 1: Windows NT/2000 Security
• CGI Programming with Perl, 2nd Edition
  • Chapter 8: Security

Other

• U of T at Scarborough Web Site Style Guide (doesn't pay enough attention to security, but it's so amazingly detailed I had to link to it)
• Designing and Deploying a Web Site by Todd Burgess