Threats on the web:
Information gathering- This is step one during a hacker's attempt to cause damage to your system. Usually goes unnoticed on the web server side because they can simply use search engines to find the information that they want.
Administrative interfaces- Not a very good idea to use a web-based administrative interface. Use superior authentication method rather than the simple username/password method. Also, have strong control over which systems can access the administrative system.
Authentication and access control- To protect against this threat, use multifactor authentication. Another way to protect against this threat is to encrypt info and transfer the data using a secure protocol.
Input validation- path or directory traversal: dot-dot-slash method. Attackers try to get into a web server's drive. Unicode encoding: same idea as the previous method but they use Unicode representations of characters. URL encoding: attackers bypass filters and make requests using different representations of characters. The most most famous method here is SQL injection, where an attacker puts in actual database commands to try and retrieve data from the web server.
Parameter validation- Important to validate all data that passes through the system. Client side should check for validation and then the server side should as well.
Session management- Common way to combat against this threat is to use unique session ids for every session. Do not use sequential ids as it would make it easier for the attacker to guess it.
No comments:
Post a Comment