Thinking about Web Application Security (preface)

I've had this experience in a company for a short few days. The first day of work, the same group to do a web of colleagues to help me open an account, to me on the company's management system to look at the company's rules and regulations.

Bored after reading, casually point to the left of the "Staff basic information Query" menu, the page's data display area displays "You do not have permission to view this page", wanted to exit, but found the page query condition input area exists, and the query button is only gray off, after viewing the original code, holding a try the mentality, I enter a JS script (Javascript:alert (document.all[' querybtn '].disabled=false) in the address bar of the browser to enable the query button, and then click it to actually check the data out. And then open the other menu of the system, found that the action button to disable off to manage the rights (of course, I did not do anything bad that day, just look at their own and the same group of staff levels and wages only:), for some other reasons, a few days later I changed another company)

It is a relatively large Hong Kong-funded enterprises, with the web also developed such as ERP and several large systems, according to the truth, such a low-level error should not appear, but in my web development in the past few years, there are many examples like this, such as just through the page button To manage permissions by hiding and displaying them or by hiding them from the menu. These systems are not as safe as a person with web development experience.

Of course, any security is not absolute, especially on the open web. But I think the security standard for a Web application should be at least:

If you let yourself (an experienced web Developer) attack This system, you can't do it.

About the security of Web applications I would like to raise the following questions:

1. Whether your Web application's security modules are mixed with the system's own business, so that security issues are considered every time you develop a new system.

2. What is the basis of your security control, and is it dependent on the client (Js,dhtml,url hidden, request information)?

3. Your Web application Security module is easy to scale to accommodate when new situations arise, such as URL requests that are automatically generated by Web Service,ajax.

My answer to these questions is as follows:

The security modules for 1.web applications should be independent of the system itself, which means that no web application needs to consider security issues when it is developed. For example, write about whether the user has

Authentication, whether the code has been authorized and so on in the program. It should be just a component, and a simple configuration allows the system to have a flexible security control mechanism.

The security of a 2.web application should not depend on the client's request information, and for us, the only thing to believe is the path to request (because we are executing it and handing it over to the client),

For browsers such as version,querystring,body,headers and so on are unreliable, can not be done as a certification basis.

The security modules for 3.web applications should be extensible, that is, under a unified architecture that expands to cope with new situations.

Next, I'll share some of my experiences and ideas in Web application security design, hoping to get more people's opinions.