Pam Van Londen » User Data

Web Security Checklist

Pam Van Londen — Wed, 28 Jan 2009 18:24:43 +0000

Readings

Web Applications Security Tutorial: Jerry Berkman, 2003.
A Guide to Building Secure Web Applications and Web Services: Open Web Application Security Project. 2005 PDF.
Open Web Application Security Project; OWASP.org. Top 10 Vulnerabilities in Web Applications. November 2006.
Secrets and Lies: Digital Security in a Networked World: Bruce Schneier, John Wiley & Sons, 2000.
ISBN 0-471-25311-1
Understanding Malicious Content Mitigation for Web Developer: (CERT 2000)
SANS Top-20 2007 Security Risks: 2007 Annual Update
Web Security: W3Schools.org. An introduction.
Web Security: By Geoff Marshall. SC magazine. Account required to read the white papers.

Web site security is a full time job because your web site is public for every hour of every day.

“The heart of the issue is that if untrusted content can be introduced into a dynamic page, neither the server nor the client has enough information to recognize that this has happened and take protective actions.”

Understanding Malicious Content Mitigation for Web Developer (CERT 2000)

Use this checklist to lesson the impact of malicious activity in cyberspace:

Assess the risks (Gin, 2008)

Identify protected resources such as web pages, databases, employee information, and credit card data.
Assign relative values to each to identify which are priorities to protect with your time and tools.
Identify possible attackers such as hackers, ex-employees, spies, or government agencies.
Estimate the relative frequency of attackers.

Code with security in mind.

Assess the risks of using scripts and forms.
Stay abreast of security vulnerabilities via CERT
Set the character encoding (meta tag) to ISO
- < meta http-equiv=”Content-Type” content=”text/html; charset=IOS-8859-1″ >
Put code/scripts in a separate directory outside the document root. (Berkman 2003)
- But do not put general purpose interpreters, such as perl, PHP, or shells, in the cgi-bin directory.
- Store database account name and password in a file outside the web directory tree.
Recode dynamically generated pages to validate output.
- Code sites so they work with or without JavaScript.
  - Because JavaScripts can introduce insecurities, some uses keep it turned off in their browsers. Tools like NoScript make it easy to turn it on when viewing a trusted site.
- “Any server that creates web pages by inserting dynamic data into a template should check to make sure that the data to be inserted does not contain any special characters (e.g., “<”). If the inserted data contains special characters, the user’s web browser will mistake them for HTML markup.” (CERT 2000)
Validate form data and disallow html and scripts in form fields.
- Limit field data to what is needed and no more. For instance, if you ask for a person’s age in a form field, only accept numbers with 2 digits rather than any amount of any characters. In a name field, accept only a string of letters, periods, and hyphens. Apostrophes may allow SQL injections.
- Validate/filter form data locally (during the output process) before it is rendered as part of the dynamic page.
- If you validate form data with JavaScript, revalidate with your server script (in case JavaScript was turned off in the browser).
- Don’t allow html tags in form textarea or input fields.
- Add Captcha Image security functions to keep spambots from filling in your forms.
Examine and filter data stored in cookies.
- It is a good practice to save the session data on the server, and use cookies or hidden variables just to pass a session identifier. (Berkman 2003)
- Cookie data can be stolen by other web pages so don’t store sensitive data in them.
Don’t send scripts or personal form data via link tags.
- Malicious HTML Tags Embedded in Client Web Requests: CERT® Advisory 2000
- Send forms with method=”post” rather than method=”get” as much as possible.
  (Berkman 2003)
  - With POST the form input is passed via standard input to the application; best for logged in sessions.
  - With GET the form input is added to the URL which is visible to users; so don’t use this option for sending personal data.
- Don’t pass important information via hidden variables. For instance, a BuyNow button that shows pricing in a hidden field can easily be copied, altered, and sent back so a purchase is made with the wrong pricing! Read Shopping-cart glitch could give hackers a discount: Ann Harison CNN.com 2000.
Require users to create strong passwords.
- And display errors to login/authentication that do not give away missing information.
- To prevent another user from using the back button to relog in as the previous user, create a random key for each login page, save it on the server and pass it to the browser in a hidden variable, and only allow the random key to be used once to log on. (Berkman 2003)
- Limit the number of failed login attempts.
- Prohibit shared accounts.
- Don’t use generic account names like tester, guest, sysadmin, admin, etc.
Don’t list script errors on web pages that are launched.
- They give away the vulnerabilities of the scripts.
For PHP Scripts
- Upgrade to PHP 5.2 to eliminate common vulnerabilities. some of these include:
  - PHP Remote File Include
  - SQL Injection where a CGI inserts input data into a string which is then submitted to an SQL server. See a quick example from Berkman.
  - Cross-Site Scripting (XSS) where the attacker tricks the victim into clicking on a URL containing a harmful script.
  - Cross-site request forgeries (CSRF)
- Consider using methods like SUPHP to set permissions to read only.
  - This method can use an .htaccess file to handle permissions for complex database-driven web applications.
  - Read more: Secure PHP Pages with SUPHP: University of Virginia.
  - PHP’s security functions can all be turned on but most open source web applications cannot run with them on.
- Remove all .phps or php.txt files from the server.
- Remove automatically generated directory listings.
- Create directories outside the server tree for session and sensitive data.
For SQL databases, read Sans.org’s Top 20 List.
Don’t list email addresses in web pages.
- Use forms instead.

Test your scripts for vulnerabilities

Many
older scripts, free downloadable scripts, and samples scripts from textbooks do not adhere to security best practices, so test your site to see which scripts need attention. Try these tools:
- OWASP Testing Guide
- Top 10 Web Vulnerability Scanners
Removed vulnerable scripts from the server. W3.org provides a list of problem CGI scripts.
Measure your skill using the GSSP or other security exams and fill commit to regularly learning new security skills.

Create strong passwords

Perfect Passwords: GRC’s Ultra High Security Password Generator
Password Dos and Don’ts: Bytes Interactive

Manage passwords securely

Read about Password Management Best Practices: MTech. 2008. And Password Management vs. Single Sign-On.
Management options include:

- Desktop software
- Browser extension
- Hosted online service
- Single Sign On (SSO)

Host your web site with a reliable company that provides the following services:

Secure server room with limited access to staff and outsiders.
Secure credit card transaction when purchasing the account.
- Is the transaction as safe if handled manually by a human?
Strong password generation for accounts.
Daily backup of files and databases.
Immediate technical support to troubleshoot security issues.
Investment in finding the culprit (reporting to police)

If using e-commerce then read

Encrypt transmission of cardholder data
and sensitive information across public networks
Maintain a Vulnerability Management
Program
Use and regularly update anti-virus
software
Develop and maintain secure systems and
applications
Implement Strong Access Control
Measures
Restrict access to data by business need-to-
know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data

Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an Information Security Policy Maintain a policy that addresses information security

If you’ve built your own server, use the Robots Exclusion to protect specific directories.

Robotstxt.org: Helping promote the Robot Exclusion Standard.
Disable web servers that are not in use because unused, unpatched web servers contributed greatly to spread of Code Red.

Transfer files with a secure connection

Encrypted WiFi connection
- View your computer’s vulnerabilities with ShieldsUP!
  - The Internet’s quickest, most popular, reliable and trusted, free Internet security checkup and information service. Check your system here, and begin learning about using the Internet safely.
Secure FTP (SFTP) or Secure Shell
Logout when idle.

Use a Secure Socket Layer (SSL) Certificate when setting up online transactions.

SSL encrypts sessions between the browser and web server.
Generating a self-signed SSL certificate
- Rather than purchase a “trusted” certificate, generate your own. It’s secure, but may not be trusted by your visitors.

Browse and view media files with security features turned on.

Securing Your Web Browser:
Will Dormann and Jason Rafail 2008.
Example of a browser insecurity
- Mozilla browsers fail to properly handle images: Vulnerability Note VU#879056. The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation’s Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

Write a sound security policy.

Read and use How to Construct Your Privacy Policy:
Direct Marketing Association.

Producing Accessible Forms

Pam Van Londen — Tue, 02 Dec 2008 18:51:05 +0000

Introduction

Goals of forms and collecting user data

Most web sites are built to provide information to visitors. When site owners want to hear from visitors; they make it easy by providing forms which ask questions related to the data they want to collect. Perhaps it’s just a simple message, such as, “How did you hear about us?” Or, “Did you find what you were looking for?” Or, “Contact us and we’ll contact you.”

Collecting data from your visitors involves adhering to etiquette, securing form data while in transit, and sharing or not sharing data with third parties, and blocking spam messages. In general, follow these guidelines:

Make forms accessible so all visitors can send you a message.
Provide helpful messages and instructions for new internet users.
Use error checking so that form data is clean before sending.
Block automatic spambotsfrom using the form and cluttering up the receiver’s email inbox.
Notify visitors of your policies regarding their personal data.

Making Accessible Forms

Readings

Accessible forms: Guidelines, examples and accessible JavaScript tricks: Mike Foskett, Web Semantics. 2006.
Accessible HTML/XHTML Forms: Ian Lloyd, May 2004. The Web Standards Project. Beginning, Intermediate, and Advanced tutorials.
Form Validation, Disabling Browser Caching, Embedding HTML Code: Christopher Heng, The Site Wizard
Form field focus with unobtrusive JavaScript: Joey Marchy. 2006. In the Garage.
Dynamic Drive’s Form Effects: Updated regularly.

Use these various tags to improve keyboard and screenreader access in forms. Read more in Creating Accessible Forms.

fieldset
legend
label with “for” defined
tabindex
accesskey
- Styling with pseudo-elements
focus

Collecting visitor data

By email
- FormMail.php, which resides on the ONID server, will allow your visitors to send data to your OSU email address.
  - You can download a version of FormMail.php to an off-campus server running PHP software.
- Feedback Form Script is much simpler and allows you to build in what you want.
With .htaccess files.
- Note that these options were written for the host vendor’s server configuration and may not work for ONID or ENGR servers. They do explain many uses for .htaccess, however.
- Comprehensive guide to .htaccess
With Cookies(CS 295)
- See the next page.
Write to a Database(CS 295)
- See the next week’s work.

Which format will the web host/server allow?

Scripts written in one of these three languages are usually provided by a web host. Getting information from their support staff about the path to the script can be difficult, and modifying the refer line of the file is generally a simple matter.

CGI scripts
- FormMail is a generic HTML form to e-mail gateway that parses the results of any form and sends them to the specified users. This script has many formatting and operational options, most of which can be specified within each form, meaning you don’t need programming knowledge or multiple scripts for multiple forms. Previous versions have had security problems.
Perl scripts
- FormMail available in a Perl (.pl) format.
PHP scripts (3 options)
- Easy to make your own. See PHP for the World Wide Web chapter 3 to get started. Note corrections to textbook scripts.
- The ONID server provides use of FormMail.php. To use it, tag a form with the following path:
  - This will only work if the recipient line goes to an on-campus email address.
  - Use Jack’s Script’s tutorial to properly set up the hidden fields.
- Download and install a version of formmail.php (several versions of the same name exist)
  - Jack’s Scripts (perhaps out of date)
  - Tectite

Provide Security

Read through the Web Security Checklist to get an idea how complicated it is to keep forms and web sites secure. Pay close attention to “Code with security in mind”, step 6.

Tell visitors how you will use their personal data

In a separate page or message on your form page, tell visitors why you want to hear from the, what you’ll do with their personal data, and where it will be stored. Will you sell it to third parties? Leave it laying around in your email, or store it in a database so you can send them a newsletter? Use the DMA’s form to generate a policy for your web site. Edit the results to meet your needs.

How to Construct Your Privacy Policy: Direct Marketing Association.

Verifying/validating data with JavaScripts

Pam Van Londen — Fri, 15 Sep 2006 15:30:54 +0000

Readings

250 HTML and Web Design Secrets: Molly E Holzschlag. Wiley Publishing. 2004. Page 319.

Before data is sent to the server with a server scripting language, such as PHP, user data can be checked for accuracy. Many JavaScripts can help the visitor provide clean data before final data is submitted by the server-side script.

To improve the kind of data your forms send, build in validation functions for:

Email addresses
web site addresses
zip codes
states
phone numbers
login userID and passwords

Resources

Review and try these options to create solutions for your forms:

Validation (No Alert): JavaScript. Nice one! validates the essentials without an alert box; uses red text on the same page instead.
Avoid Duplicate Form Submissions: Larisa Thomason,
Senior Web Analyst,
NetMechanic, Inc.
Form Effects: Dynamic Drive. DHTML solutions.
Contextual forms: Auto Drop Down menu changes based on first selection. Country Chooser is similar.
Auto Tab: Adds usability (typing ease) to forms with standard inputs, such as phone numbers, social security numbers, area codes, etc.
Check Cap Locks: This JavaScript function will let the user know his Caps Lock is on and about the potential for error.
Date Selection Form: Another nifty JavaScript.
Dictionary and Thesaurus: JavaScript that links to Ask Jeeves.
Initial Caps: Changes lower case to upper and lower case.
No HTML: Use JavaScript to ensure that visitors do not type in HTML entries.
Password Verifier: They get an error message telling them to re-enter the passwords if they do not match.
Smut Engine: Turns profane user input into special characters.
Submit Changer: Provides popup note and submit button label change, to keep users for resubmitting accidentally.
Upload Filter: Alters user who attempts to upload file type that is not allowed.

Web Security Options

Pam Van Londen — Fri, 15 Sep 2006 15:30:00 +0000

Readings

Web Security: W3Schools.org. An introduction.
Web Security: By Geoff Marshall. SC magazine. 2003.
Prevent Web servers from identifying themselves: Brien M. Posey. Tech Republic. 2004.
PHP and MySQL for the World Wide Web: Larry Ullman. Visual Quickstart Guide. Peachpit Press. Chapter 8; a bit advanced.
Open Web Application Security Project: OWASP.org. Top 10 Vulnerabilities in Web Applications. November 2006.

Important exercise

Please take the time to run all of the ShieldsUp tests from the link below. You will begin to learn the language of web security by seeing how vulnerable your machine is. Macintosh users (viewing from off campus) will be pleasantly surprised. Windows users…complain to Bill Gates.

ShieldsUP!: The Internet’s quickest, most popular, reliable and trusted, free Internet security checkup and information service. Check your system here, and begin learning about using the Internet safely. NOTE: Don’t use the email spam function; I believe it gathers your email address to use maliciously.
Symantec: Symantec Security Check tests your computer’s exposure to a wide range of online threats. It’s free and an effective tool that helps determine your Internet security needs.

Resources

If you’ve built your own server, use the Robots Exlusion to protect specific directories.

Robotstxt.org: Helping promote the Robot Exlusion Standard.

Post other security fixes you come across on this week’s Forum.

SSL Certificates

Generating a self-signed SSL certificate: Rather than purchase a “trusted” certificate, generate your own. It’s secure, but may not be trusted by your visitors.

Customized search

Pam Van Londen — Fri, 15 Sep 2006 15:29:14 +0000

Add a customized search field to your site:

Customized OSU Searches: A customized search selects only the directory (and sub-directories) of this local site.
Google Customer Search: For individual and business web sites.

PHP Scripts

Pam Van Londen — Fri, 15 Sep 2006 15:28:19 +0000

Scripts can be placed in web pages to perform actions after an event occurs, such as submitting form data. Many scripts exist to handle various tasks and some are easy to customize for your unique purposes.

Use a textbook, online tutorials, and other readings and resources to write a simple script.

Download the chapter scripts from the following text web site to see how form data can be validated with .php.

PHP 6 and MySQL 5: Visual QuickPro Guide, 3rd Ed.: Larry Ullman. Peachpit Press. 2008. Errata

Note: OSU restricts the use of SSL certificates on the ONID servers.

Resources

Hotscripts.com: Long list of login scripts to choose from.
Form Processor Scripts: For PHP at Scripts.com.
PHP Builder: More code snippets.
PHP Login Script with Remember Me Feature: Excellent tutorial with code to copy.
Registration Form Sample: PHP. VDaemon from X-Code.com. Validates userID and password against a database, plus email format, and displays errors in red on the same page.
Easier form validation with PHP: Simon Willison’s Weblog. See the demo; it displays error messages on the page and adds red ! marks.
Form and validation: PHP. Ben Lenarts, 2004.

Baking Cookies

Pam Van Londen — Fri, 15 Sep 2006 15:27:39 +0000

Cookies are a way for the server to store information about a visitor on the visitor’s machine, so it can remember their name, needs, and login information during a visit. It’s like wearing a name tag. Read:

How to Create and Use Cookies in PHP: Set, Retrieve and Delete Cookies using PHP. The Site Wizard.

Examples

Add to Contact List: This form first asks for the name of the person entering data, to capture it in a cookie. This username is displayed upon hitting the return key and shows up again in the confirmation page. Uses some of the Negrino/Smith examples at the right. Note that other user data IS using a database, where the cookie IS NOT.
Set a JavaScript cookie based on a form field: Uses some of the Negrino/Smith examples at the right.
Page color changes: This form and cookie comes from the older PHP for the World Wide Web book and was updated by Ben Jansen of OSU.

If you are already using a database to collect data, then practice making, using, and deleting cookies with PHP.

Examples

Trouts R Us: PHP and MySQL text, pages 235 to 254. Download Chapters 5 and 6 to try the code on your server.

Browser Detection

Pam Van Londen — Fri, 15 Sep 2006 15:27:17 +0000

Readings

DHTML and CSS For the World Wide Web, 3rd Ed: Chapter 11. See how the code for browser detection works.
CSS hacks & browser detection: Webcredible Ltd. 2004.
Browser Compatibility Workshop: BrowserHawk
JavaScript Tip: Browser Detection And Redirection: NetMechanic

To help ensure your visitors get the best experience at your site–including being able to see all content in the proper location on the screen–it is handy to find out what platform, system, browser, and plugins they’re using. Read more at Tech Patterns:

The simplest solution for consistent layout

Because Explorer has a different margin set on web pages than other compliant browsers, the web author can make a style sheet that accommodates this difference and automatically link visitors to it if they are using Exploerer. Add this to the section of your template: