Web Security:Build It Right

Default Credentials in Place

No guessing involved!

Root user vulnerable?

Rename users, reroll passwords.

Every Path and Port is the Default

Predictability makes everything easy.

Customize servers to your needs and liking.

See also: Security through obscurity.

No Timeout Between Failed Attempts

How many password guesses can I make in 5 minutes?

Consider lockout after too many bad attempts.

See also: Brute force attacks.

Allowing Weak Passwords

Would you let your admin users use "password"?

Validate for length, content, and dictionary words

Encourage a password that no one could remember.

See also: two factor auth.

Sanitizing Input

Pretend everything was a piece of food dropped on the street in NYC. You would not put that in your mouth!

Don't assume your users are giving you data that was any cleaner.

Look at data type, special chars, length

// Never Ever Do This. I will slap you.
$sql = "UPDATE users SET(username, user_level, password)
  VALUES('{$_POST['username']}', '{$_POST['user_level']}', '{$_POST['password']}')
  WHERE users.id = '{$_POST['user_id']}';";

Be Militant About Requests

Allow both POST and GET to anything?

Proper authentication on your API endpoints.

Ask: should this be allowed?

Lock it down like Alcatraz.

// Let's say we have a gift card service platform with API 
public function add_dollars(int $company_id, int $account_id, float $dollars){
	
  // Is this account an actual valid card with this company?
  if($this->auth_valid_card_number($company_id, $account_id) === false) 
    throw new \Exception('Invalid account.');
  
  // Random numbers thrown at our API should not get this far.
  return $this->account_model->add_dollars($account_id, $dollars);
}

Dynamic URIs

Some will require authentication, like user profiles.

Ask yourself, who should see this page?

// This could serve up some really sensitive information
// access by website.com/my-transactions/1
public function my_transactions(){
  $user_id = $this->uri->segment(2);
  
  // What is stopping the user from just hitting /my-transactions/2 ? Nothing!
  
  $vars = $this->db->where('user_id', $user_id)->get('transactions');
  
  // Anybody's data will load here
  $this->load->view('my_transactions', $vars);
}

SQL Injection

Again, everything is tainted.

$sql = "SELECT ALL FROM transactions WHERE id = '{$_POST['trans_id']}'";

// What if $_POST['trans_id'] = "1' OR amt != '0" ?
$sql = "SELECT ALL FROM transactions WHERE id = '1' OR amt != '0'";

// Why, you could give away quite a lot of sensitive data!

Including Sensitive Files in your GIT Repo

Do not push repos with ANY sensitive data ever committed to a public site.

Bots look for this.

Gitignore is your friend.

Apache: Indexes Enabled

You can always put a blank index.html in every directory.

Disable indexes if using Apache.

Leaving Sensitive Files on a Server

Full zipped copies

Search-and-replace DB scripts

Remove or disable all of these.

Error Message are Too Revealing

Let's handle our errors nicely, please

Showing file names and stack traces?

Give a short fail message.