February 7, 2010 19:43
There are tons of good papers and a bunch of questions on StackOverflow about designing and developing for security, but all of them seem to concentrate on what you should do.
However, recently I was after something different: a "visit a page, try this and that" kind of things, you know. A list of simple actions one should to go through once development is done, to make sure the solution is secure.
Here's something I've come up with so far:
Security Blackbox Checklist.
- Turn off client-side validation and repeat the step above, to make sure that (a) you also validate on the server, (b) input is validated on the server for type, length, format, and range, (c) free form input is sanitized, (d) output that includes input is encoded with HtmlEncode and UrlEncode.
- Insert extremely large amount of
data in the query string as per http://www.example.com/foo?bar=HugeAmountOfData to make sure you
constrain inputs and do boundary checks.
- Visit a POST action via GET, to make sure that "form submit" actions are restricted to be POST-only.
- If applicable, upload a file of
incorrect size/format (huge file, empty file, executable with renamed
extension, etc) to make sure uploads are handled gracefully.
Access the URL as a user without correct permissions, to make sure
permissions are explicitly tested via action/controller attributes.
Access the URL providing non-existing details (like non-existing
product ids, items you don't have access to, etc) to make sure a
correct error (404 or 403 etc) is returned.
Access the sensitive page via HTTP, to make sure it's available via HTTPS only.
Security Whitebox Checklist.
- In debug mode, break the code so that it throws an exception, to make sure it fails securely. Make sure you catch exceptions and log detailed messages but do not leak information to the client.
- Make sure MVC actions are restricted on POST/GET only, or particular user role, etc.
- Ensure that absolute URLs are used for navigation.
- Make sure POST actions are accompanied with [ValidateAntiForgeryToken] attribute to prevent XSRF attacks.
- Make sure Response.Write (either directly or indirectly) is never used to display user input.
- Make sure sensitive data is not passed in query strings or form fields.
- Make sure your security decisions do not rely on HTTP headers info.
- Make sure you don't leak security information in robots.txt.
Comments? Corrections? Missing steps?
- Check out Improving Web Application Security or Developer Highway Code ebooks from Microsoft.
- Well, check out 'em all!