How Do You Harden a Website Application?

Problem scenario
You want to ensure you web application is protected from buffer overflows, injection attacks and other vulnerabilities that could reveal sensitive information. How do you harden a website application and follow security recommended practices?

Possible Solution #1
Endeavor to prevent injection attacks. Minify the website application by not allowing file uploads and limit POST requests to 2 MB (page 28 of Node.js Security by Liran Tal).

Possible Solution #2
Configure a global timeout for the website at 60 seconds (page 28 of Node.js Security by Liran Tal).

Possible Solution #3
This only applies if you are using JavaScript. Configure express-limiter (despite the fact that it requires Redis) to limit HTTP CRUD requests to the /login path of the URL. Such limitations should include 20 or fewer per hour from a single incoming IP address. (Both sentences were taken from page 26 of Node.js Security by Liran Tal).

Possible Solution #4
Avoid using eval() in of PHP, Perl, or JavaScript (page 60 of Node.js Security by Liran Tal). This allows an attacker to potentially issue system-level Linux commands if he/she can exploit your web application.

Possible Solution #5
Reduce data serialization as much as possible. Use programming languages with primitive data types (as opposed to pure object-oriented programming languages). The source of these two sentences was the OWASP website. Built-in data types from a pragmatic perspective can help control manipulating resources and keep your application and server secure.

Possible Solution #6
Try to use JSON instead of XML. If you must use XML, try to disable DTD processing. The source of the above two statements is this external page.

Possible Solution #7
Cleanse, filter and validate any user input before such values are used in the composition of a SQL statement (per this website).

Possible Solution #8
Ensure that code that interacts with the web application is threadsafe because penetration testing has its limitations in what it can reveal (page 427 of The Web Application Hacker's Handbook 2nd Edition). Thread safety is the isolative quality between two threads in a multi-processor environment (per MIT's website). When one thread can access memory that another thread was using independently, there is a breach to the principle of thread safety.

Possible Solution #9
View these pages if they are applicable:
What Are Some Ways to Prevent MITM Attacks or Other Session Exploitative Attacks with a Web Page That Uses JavaScript?

What Are Some Ways to Prevent XSS Attacks with a Web Page That Uses JavaScript?

Leave a comment

Your email address will not be published. Required fields are marked *