Validate your inputs
Todays podcast listening for the commute was Bruce Sams talking about web app security from Software Engineering Radio.
Starting with a live demo of some hacking techniques (surprisingly effective even with just the audio), it covers some of the popular attacks - SQL injection, javascript in input fields, cookie stealing, guessing adjacent ID numbers and so on.
Apparently about 70% of web app vulnerabilities come from the inputs to the system - we spend a lot of time worrying about things like SSL and encrypted logins, but actually the vast majority of attacks use the applications themselves.
Sams says that when he's asked for his top 10 tips for making your web app secure, he says:
- Validate your inputs properly
- See (1).
An interesting aspect of validation, though, is that it applies not just the obvious things like form fields and text strings, but to all the HTTP header elements as well.
For example, WordPress MU (in versions prior to 2.7) had a function that would echo the HTTP Host header without having sanitised it. The attacker can craft a request that contains some Javascript in the Host header which, when echoed, can grab cookies (or other evil cross-site scripting stuff)..