daedalus

Ok this is something that I have seen over and over now and I want to help the webmasters here from making these mistakes when designing a site:

1. If you value your customers, do not use php... use java or .net (c#). PHP can be broken and all your info lifted within 15 minutes by the pros.

2. Use HTTPONLY in your cookies. Websphere has this feature now, Tomcat is reviewing it (but word is it is coming), Microsoft has it, and all modern browsers have it now. This will stop the cookies from being accessed by javascript.

3. When designing forms add autocomplete=off to the form and it's elements. This will keep the client from having their data reveled when filling in forms.

Examples:

<form AUTOCOMPLETE="OFF"> for entire form
<input type="text" name="name" AUTOCOMPLETE="OFF"> for form elements.

4. Do not use javascript to validate your form data, do it on the server side. This does two things. First, by using javascript to validate your form data you have exposed your process to the bad guy. Second, it can be easily manipulated and turned off. If you need javascript for form data ONLY use it for minimal validation (ie. form expects a number or character validate that it only contains alphanumeric characters). Save the rest for the server side (is the user in the data base, does it contain malicious code)

5. Use double validation. Let me explain, take the original input convert it to it's html entities (1st validation) then take that and convert it back to its string equivalent (2nd validation). If the ORIGINAL data does not match the string equivalent you need to raise a flag alerting sysops of a possible hack attempt.

6. Use AES (Rijndael) encryption, and SHA-384 or higher for hashing. Do this for all your sensitive data.

7. Use a SALT (random string prefixed to the clear password) with your encryption/hash for each USER when saving sensitive data to the database.

8. Use https to secure cookies in transit.

9. Avoid GETS and reject any GET when you are expecting a POST from the form.

Finally, validate everything that is supplied by the user. TRUST NOTHING.

Again, do minimal validations on the client, expose nothing to the client about your methodologies, and if validation is done correctly you can actually IMPROVE performance on your site.

There is more then this, but if you just this you have prevented 70% of the attacks on your site.

If anyone needs assistance or wants to discuss this more, please feel free to contact me.

__________________
Starting March 15, 2008 all accounts minimal 100M unmetered bandwidth. If your service has your site on 10M (un)metered bandwidth, contact us.
We will work for you.