Category list

Chapter 11. Security

Section 11.0. Introduction

Recipe 11.1. Hardening Your Systems with Strong Passwords

Recipe 11.2. Protecting Queries from SQL Injection

Recipe 11.3. Guarding Against Cross-Site Scripting Attacks

Recipe 11.4. Restricting Access to Public Methods or Actions

Recipe 11.5. Securing Your Server by Closing Unnecessary Ports

11.0. Introduction

Security is important to some degree in most software, but is especially important in web applications because of the public nature of the Internet. In many cases, some part of your application is accessible to anyone or any script that may potentially be trying to attack it. The motivation for the attack is usually impersonal; many scripts automatically hunt the Web for known vulnerabilities. In some cases, your application may contain information that is worth trying to steal, such as credit card numbers or other personal information about your application's users.

The best approach is to treat all your applications with care when it comes to securing them from attackers . That way, the skills and best practices you use will become good habits that you can apply to all your projects.

The two big security categories for web applications are SQL injection and cross-site scripting (XSS). Other attacks could come from your server becoming compromised by some other type of network attack or by a compromised user account.

Keep this basic rule in mind: filter input, escape output.

Recipe 11.1. Hardening Your Systems with Strong Passwords

Problem

Short, guessable passwords represent a serious security risk to your servers and the services that run on them. You want a reliable system for creating sufficiently strong passwords or passphrases, and a way to manage them.

Solution

Generating strong passwords or passphrases is one of the most important things you can do to protect your servers and data. Here are some basic properties of a good passphrase:

Only you should know your passphrase.
It should be long enough to be secure.
It should be hard to guess, even by those who know you well.
It's critical that your passphrase be easy for you to remember.
It should be easy for you to type accurately.

To generate sufficiently strong passphrases you can use the Diceware method, which selects components of a passphrase randomly using dice. Here's how it works:

Obtain a copy of the Diceware word list (http://world.std.com/~reinhold/diceware. wordlist .asc). This list has two columns : the first contains five-digit numbers ; the second contains short, memorable words or syllables. A small portion of this word list looks like:
```
63461  whale
63462  wham
63463  wharf
63464  what
63465  wheat
63466  whee
63511  wheel
```
Roll a die five times, producing a five-digit number, with each digit being a number between 1 and 6. Using this number as an index in the word list, add the corresponding word or syllable to the passphrase. For example, say you roll a die five consecutive times get the numbers (in order) 6, 3, 4, 6, and 5. These numbers together form the number 63465, which you use to look up the word "wheat" from the word list. This becomes the first part of your passphrase. Repeat this process five or six times, and you'll have a passphrase like:
```
wheat $$ leer drab 88th
```

Notice that this command produces a passphrase that is 23 characters long, yet easy to remember. You can repeat this process for all the various systems that need strong passwords.

The point of them being easily memorized is to keep you from ever writing them down. However, most developers have dozens of passwords to keep track of. This reality forces people to use the same password for many systems or write down the passwords for each system.

One solution is to use a password managing program that stores and organizes all your passwords in an encrypted format. These programs require a single master password for access, and often allow you to organize usernames and passwords into groups. An excellent example of these programs is KeePass (Windows) or KeePassX (a cross-platform port of KeePass). Figure 11-1 shows how KeePassX can help you manage a large amount of authentication information in one secure place.

Figure 11-1. The KeePassX password manager

If you choose to use a password manager, the strength of the master password is critical to the security all of the systems that you store information about. Extra care should be taken to keep this password safe. Also, you should always make backups of the database used by your password manager in case of disk failure or data loss.

Discussion

A passphrase is similar to a password in usage, but is generally longer for added security. A natural tendency is to choose passwords that are short and therefore easy to remember and use. Many people just don't realize how advanced password cracking software has become, and how easily modern computers can crack short passwords by brute force. The solution describes a system for choosing long yet memorable passphrases that will go a long way toward making your servers, services, and applications more secure.

Password strength can have different meanings depending on the context of the situation in which the password is being used. One factor in gauging a password's strength is the length of time a hacker has in which to crack the password before the information being hidden no longer needs securing. It doesn't matter if a password is cracked after the data it protects has ceased to be valuable .

Another factor is the importance of the information being protected by the password. A database containing hundreds of thousands of credit card numbers is worth a lot of money, and someone who wants to steal those numbers will be willing to go to great lengths. Systems that access valuable data like this need very strong passwords, as well as other protections . On the other hand, a WEP password protecting your home wireless network may not be worth a serious password-cracking effort.

Flylib.com

Category list

Chapter 11. Security