Tersus: Re: How to build secure web applications

Re: How to build secure web applicationsDate: Jun 22, 2009Hi kkg,There are many considerations for security, and some reading on web application security in general is recommended.In absense of a comprehensive guide, here are some quick recommendations:

When deploying the application, consider using SSL.

Use "Show services in project ..." in the Repositoy Explorer drop down menu to create a list of all the services in your project. Review the input and output of each of the services.

Validate user input inside your services (even if you have input validation in the client). This is where the Secure Service template helps - it gives you a placeholder for the validation. Validation may include checking that the input makes sense, and that the specific user has authority to perform the specific action.
Example: suppose your online shop allows a user to cancel an order as long as it is not shipped. A "Cancel Order" service should check that:

The order (in the database) belongs to the logged-in user
The order status (in the database) is still appropriate (i.e. not yet shipped)

If you're sending the order status and user id from the client to the service, you must check that they are valid: compare the given user is the logged-in user and the given order status to the order's actual status.

Make sure your services do not return data that your user is not allowed to see (the output can be seen even if it is not displayed on screen).

To prevent SQL injection: Make sure any input that comes from the client is not used in SQL statements or fragments (<SQL Statement> in Database Query and Database Update, <Filter> & <Table> in Advanced Find, <Procedure> in Call Procedure). Values that are sent to the database through the regular triggers of database actions are escaped.

To prevent cross-site scripting: If your application receives HTML text from the client (e.g. using HTML Editor) , and displays it (e.g. using HTML Display ), validate or filter the HTML text using Filter HTML.
Note that by default, and text send to usual display elements is escaped, so malicious scripts sent to such elements will not be displayed.

Note that prototype.multiplicity and prototype.element are not relevant to security. These properties drive the "Add Element" functionality of the modeling tool and are not used in runtime. You can certainly use regular triggers.Regards,YouvalSee Also:

To use the full functionality of this web site, JavaScript needs to be turned on.

For best results, use the Firefox browser..

Loading ...