Thoughts on Web Application Security (sequence ))

Thoughts on Web Application Security (sequence)

I have had this experience in a company for a short period of time. On the first day of work, a Web colleague in the same group helped me open an account and asked me to go to the company's management system to check the company's rules and regulations.

After reading the page, click the "Employee Basic Information Query" menu on the left. The data area on the page shows "You have no permission to view this page". I wanted to exit, but I found that the input area of the query condition exists, and the query button is only grayed out. After checking the original code, with a try, I entered a Javascript script (javascript: alert (document. all ['querytn']. disabled = false) Enable the query button, and click it to check the information. Then I opened other menus of the system and found that they all gave the action button disable to manage permissions. (Of course, I didn't do anything bad that day. I just looked at the levels and salary ﹕) for other reasons, I changed to another company a few days later)

It was a relatively large Hong Kong-owned enterprise. It also developed several large systems such as ERP Using Web. In principle, such low-level mistakes should not occur. However, in my web development in the past few years, there have been many examples like this. For example, you can manage permissions by hiding and displaying page buttons or by hiding and displaying menus. The security of these systems is also false for a person with web development experience.

Of course, any security is not absolute, especially on open web. But I think the security standards for a Web application should at least be ﹕

If you want yourself (an experienced Web Developer) to attack this system, you cannot.

I would like to raise these questions about Web Application Security ﹕

1. Whether the security module of your web application is mixed with the business of the system, so that security issues must be considered every time you develop a new system.

2. What is your basis for security control? Does your security control rely on clients (JS, DHTML, URL hiding, and request information )?

3. Whether your Web Application Security Module is easy to expand, so that you can easily cope with new situations (such as URL requests automatically generated by web service and Ajax.

My answers to these questions are as follows ﹕

1. The security module of Web applications should be independent of the system itself. That is to say, no security issue needs to be considered during the development of any web application. For example, whether the user has

Authentication, authorization, and other code in the program. It should be just a component. After simple configuration, the system can have a flexible security control mechanism.

2. The security of web applications should not depend on the request information of the client. For us, the only thing we trust is the Request Path (because we execute and hand it over to the client )﹐

The browser version, querystring, body, headers, and so on are unreliable and cannot be used as the authentication basis.

3. The security module of Web applications should be scalable. In a unified architecture, the security module can cope with new situations.

Next, I will share some of my experiences and ideas on Web Application Security Design with you, hoping to receive comments from more people.