Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
G
G
Gene Hagmt2019-07-16 14:47:58
Information Security
Gene Hagmt, 2019-07-16 14:47:58

How difficult is it to protect a web application from the main types of attacks?

As far as I know and understand, the most popular types of attacks are:
Various types of injection (especially SQL), XSS, CSRF, Brute force, DDoS.
Studying the topic of information security in the context of web development, I made some conclusions for myself, and I wanted to clarify if I was wrong in something, and if I was missing something:

  1. All data that comes from the client needs to be checked for validity, and in many cases escaped;
  2. The URL entered by the user must be checked against the whitelist;
  3. There should not be url-addresses that, without user confirmation, perform some actions on the site;
  4. POST is preferred over GET;
  5. If possible, you should enable CSP;
  6. All important data needs to be hashed (with the latest generation of hash functions);
  7. It is necessary to use the https protocol (especially SEO...);
  8. Cookies should not store confidential information that could be harmful if stolen;
  9. When registering a user, require some level of password strength;
  10. With several unsuccessful login attempts with the same login, or on the same ip, you need to add a pause and / or captcha, in certain cases block ip;
  11. To protect yourself from DDoS attacks to some extent, it would be nice to write a script that, if a certain connect / time limit from one ip is exceeded, would block this ip.

Probably a lot of this is quite obvious, but still... Of course, everything written above should apply more to sites that require some level of security, and not to absolutely everything. I most likely could not take into account something, or make a mistake somewhere, so I'm asking for your opinion. Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
D
DevMan, 2019-07-16
@g_hagmt

1.yes
2.no
3.yes
4.no
5.yes
6.no
7.yes
​​8.yes
9.otp better
10.yes
11.yes/no

Report
D
dollar, 2019-07-16
@dollar

It depends on what kind of specific application and who may need to break it, how much time and money he is willing to invest. The answer to this will determine the possible attack vector and the corresponding protection measures and costs.
As for ddos, you apparently do not quite understand what it is. If the server has a narrow channel, then ip checks inside the application will not save at all. If the channel is wide and you have enough power, and the application itself (back) is well optimized, then you can safely live under ddos ​​without worrying about it. In addition, there are clouds that (just for this reason) do not care about ddos. In general, this is a complex topic, I can’t put it in a few words.
In general, you are now trying to invent a universal recipe for cooking dinner from abstract ingredients in a vacuum. Choose, either you spend a lot of time reading heaps of books and studying the topic of information security in general, or you solve a specific problem and invent something of your own, or take from information security what little is needed within the framework of this task. But simply listing in 300 characters what is good and what is bad will not work.

Report
I
Ivan Shumov, 2019-07-16
@inoise

All data that comes from the client needs to be checked for validity, and in many cases escaped;

your CEP. As far as shielding is concerned, everything is much more complicated than you think.
Well, not a bad idea, if the whitelist wasn't such that you'd never make it. Like the blacklist. Rather, it is necessary to introduce additional monitoring and moderation systems here.
Well don't do them.
Sorry, I choked. And there are a dozen other types of HTTP requests - what can you say about them? First, find out why they are and how what works with them. Nothing to do with security
It is possible, but it is already so, with a bow on the side
Especially like everything and the latest generation. The idea is in an approximately remotely right direction, but the wording spoils everything and says "go read the hardware about hashing"
Good idea, but not like that. Read about SSL/TLS
There is a whole block of information security about Sensitive Information. You need to understand what it is and understand that cookies are just one of a million places.
Forest. This practice is dying, as is password rotation - even Microsoft is phasing out such practices in Active Directory. In the field of the Web, in general, passwords are already rare for services, because there are social logins, SSO, multifactor, and much more.
It is possible, but this is again - a bow on the side
Past. Just past. Read the materiel
In fact, about IB there is nothing from the word at all. At least, apart from data validation and SSL, nothing really serious is affected. I would say that there is not even a hundredth of a percent from IS

Similar questions
T
timur1022018-03-05 21:53:11
Is it a vulnerability to open port 22? 6Reply
O
oks1dik2015-10-30 21:34:20
Laws that an information security specialist needs to know? 3Reply
O
oks1dik2015-11-02 01:19:50
Security guards, how did you find your first job (specialty)? 3Reply
N
nibbl2015-11-03 10:34:53
How to block inappropriate content traffic on Freebsd? 2Reply
B
BonBon Slick2018-03-12 10:09:05
Is it possible to pick up a virus using external file storage services? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question