In the article "Top security threats to your website” some of the common security risks were explained. Here we take a look on how to mitigate those risks.
Precautions against SQL injection attacks
1) Sanitize user inputs and URL query parameters
Validate user inputs and parameters received through URL query string to ensure that they do not contain any malicious code. While restricting and / or validating inputs, it is advisable to define the set of acceptable characters, which can be entered by the user. Preparing the set of unacceptable characters should be avoided, as there are number of ways to represent a character in various character sets and it is unlikely that the set will be exhaustive enough. Set of acceptable input should cover data type, length, range, format, etc. by using regular expressions and limiting the number of characters which can be entered in a form field.
2) Use type-safe SQL parameters for database operations
Type-Safe parameters can be used with either stored procedures or dynamic SQL. They allow easy data type and length validations. While parsing parameter collection, database server treats the parameters as literal values and not executable code. Any unexpected value for a parameter will raise an exception. If parameterized SQL cannot be used, consider using character escaping techniques.
3) Use of least required privileged database login
Consider using different database logins for different database operations on the website, e.g. user with only read permission for sections of the website which displays database driven read-only data. Execute permissions should be given only to selected stored procedures, as required by the application. Direct access to database tables should be avoided to the extent possible.
Precautions against Denial of Service (DoS) attacks
1) Use of Filters
One of the common methods of blocking a DoS attack is to set up a packet filter on a network before a stream of information reaches web server. Packet filtering inspects each packet passing through the network and drops DoS packets based on the user-defined rules. Although difficult to configure, it is fairly effective and transparent to its users.
2) Use of Firewalls
Firewalls are easy to configure and using simple rules, any protocols, ports or IP addresses can allowed or denied. However, some DoS attacks are too complex for today’s firewalls, e.g. failure to distinguish between good and bad (DoS) traffic on port 80 (Web Server). Additionally, some network components like routers still stay at risk as firewall exist too deep in network hierarchy.
3) Use of Switches and Routers access control
DoS attacks can also be avoided at routers and switches. Most of these devices come with some level of access control and rate-limiting capabilities. Some switches provide automatic rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) capabilities to detect and prevent from DoS attacks through automatic rate filtering and WAN link failover and balancing. Also, IP verify unicast reverse-path interface command can be used at the input interface of the router at the upstream end of the connection. It examines each packet received as input on that interface, and if the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.
Precautions against Cross-Site Scripting (XSS) attacks
Use escaping (either locally or at server level) for all the metacharacters from the web application input as well as output. Escaping prevents the data from being interpreted and executed. There are several different escaping schemes which must be used, including HTML numeric entity encoding, JavaScript escaping, CSS escaping, and URL (or percent) encoding. When it comes to script output, replacing < and > with < and > is always a good practice.
Metacharacters should be translated to their Unicode equivalents as suggested below.
- ( to (
- ) to )
- " to "
- ' to '
- # to #, and
- & to &
Also there are several ready to use libraries which provide XSS protection, e.g. Microsoft Anti-XSS library for .Net Framework.
Precautions against brute force password guessing attacks
To detect brute force attacks, simply check the server logs for a number of failed login attempts to the service. These attempts can also be logged in application itself so that they can be analyzed with more specific details.
By restricting the number of failed login attempts by a user, majority of brute force attacks can be avoided. This can be executed by keeping track of attempts in the application and when number of failed login attempts exceed the defined limit, application can block requests coming from the corresponding IP address.
Many applications also use Captcha images to avoid automated brute force attacks to gain unauthorized access.
Apart from these, following are few more useful tips worth considering.
1) Disable access to the “xp_cmdshell” function within Microsoft SQL Server.
2) Deny extended URLs. Attackers can use excessively long URL’s to evade the detection as they are not logged completely by the web servers. For example, IIS can process requests over 4096 bytes long but will not place the request in log file. Hence, unless application requires long URLs, set a limit of 2048 characters for its length.
3) Unless the application requires system or administrative level permissions, all instances of database server and web server should run under accounts with restricted permissions.
4) Create Firewall rules to block known malicious IP addresses and disable unused ports on the server.