Skip to content
This repository has been archived by the owner on Aug 30, 2024. It is now read-only.

user ui 3.2 sec

Jump to bottom
chris grzegorczyk edited this page Oct 16, 2012 · 5 revisions

Table of Contents

Security Guidelines for Web UI

General

  • all inputs (user, database, filesystem, network) should be convertied into a canonical form before any processing is done
    • //canonicalization// is the process of converting something from one representation to the simplest form
    • all components of the web UI shall assert the correct locale and character set to be used
  • use HTML entities, URL encoding, and so on to prevent Unicode characters being treated improperly by the many divergent browser, server, and application combinations

XSS Protection

  • Escape all outputs before returning them to a user
    • //escaping// is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser
  • KB article with references to Cheat Sheets
  • OWASP ESAPI library for escaping

Session Management

  • Sessions must have a limited lifetime and expire after a period of time based on business and usability requirements balanced with security considerations.
    • General security guidelines: sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for medium value applications, and 20 minutes for low risk applications.
  • A new session id needs to be generated when user logs in
  • The UI proxy should invalidate and remove the session identification token after a user //logout//.
  • The UI proxy should invalidate and remove the session identification token after a period of inactivity.
  • For session management the best practice is to use a robust, well-known session manager built in to a web application framework.
  • Use HTTP cookies for passing session ids.
  • If Cookies are used to store and transmit session identifiers over HTTPS they should be marked as 'Secure' so that they are not served over non-SSL tunnels.
  • a more complete list of best practices is here

CSRF Prevention

  • a unique temporary //validation token// needs to be generated in addition to the session id
  • this token needs to be in some way associated with the user session and be inserted into any web page generated by the proxy
  • one way to generate the validation token is HMAC of the session id or to keep a server-side state for that
    • see KB article for more details and other approaches
  • client-side code should submit this token using an additional custom HTTP header
  • this token has to be validated on each request from the user together with the session id
  • user request is accepted only iff a valid token for the current session is submitted
  • the validation token has the lifetime of the corresponding user session
  • the validation token should also be used for the login form(s) (i.e., before the user is authenticated) 



NOTE: Tornado 2.3 comes with built-in CSRF protection that can be enabled. We should take advantage of it if it's available in the version that we are going to use.




SQL Injection









    

  • User parameterized (aka, prepared) queries. 
    • 

  • If a framework like Hibernate is used, avoid using native queries. If native queries are absolutely necessary, sanitize any untrusted data in the query before passing it to the database layer.      
    • 




AJAX Best Practices









tag:rls-3.2
              


          



  
          

            

              

                

                  

                    



























                  

                

              


            
Clone this wiki locally