Skip to content
chris grzegorczyk edited this page Oct 12, 2012 · 5 revisions

Table of Contents

Security Guidelines for Web UI

General

  • all inputs (user, database, filesystem, network) should be convertied into a canonical form before any processing is done
    • //canonicalization// is the process of converting something from one representation to the simplest form
    • all components of the web UI shall assert the correct locale and character set to be used
  • use HTML entities, URL encoding, and so on to prevent Unicode characters being treated improperly by the many divergent browser, server, and application combinations

XSS Protection

  • Escape all outputs before returning them to a user
    • //escaping// is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser
  • KB article with references to Cheat Sheets
  • OWASP ESAPI library for escaping

Session Management

  • Sessions must have a limited lifetime and expire after a period of time based on business and usability requirements balanced with security considerations.
    • General security guidelines: sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for medium value applications, and 20 minutes for low risk applications.
  • A new session id needs to be generated when user logs in
  • The UI proxy should invalidate and remove the session identification token after a user //logout//.
  • The UI proxy should invalidate and remove the session identification token after a period of inactivity.
  • For session management the best practice is to use a robust, well-known session manager built in to a web application framework.
  • Use HTTP cookies for passing session ids.
  • If Cookies are used to store and transmit session identifiers over HTTPS they should be marked as 'Secure' so that they are not served over non-SSL tunnels.
  • a more complete list of best practices is here

CSRF Prevention

  • a unique temporary //validation token// needs to be generated in addition to the session id
  • this token needs to be in some way associated with the user session and be inserted into any web page generated by the proxy
  • one way to generate the validation token is HMAC of the session id or to keep a server-side state for that
    • see KB article for more details and other approaches
  • client-side code should submit this token using an additional custom HTTP header
  • this token has to be validated on each request from the user together with the session id
  • user request is accepted only iff a valid token for the current session is submitted
  • the validation token has the lifetime of the corresponding user session
  • the validation token should also be used for the login form(s) (i.e., before the user is authenticated)


NOTE: Tornado 2.3 comes with built-in CSRF protection that can be enabled. We should take advantage of it if it's available in the version that we are going to use.

SQL Injection

  • User parameterized (aka, prepared) queries.
  • If a framework like Hibernate is used, avoid using native queries. If native queries are absolutely necessary, sanitize any untrusted data in the query before passing it to the database layer.

AJAX Best Practices

Clone this wiki locally