Structuring Your Projects for Web Application Security

In this article we will look at how to start a project while considering its related security issues. We will focus on form validation as well as other topics such as site structures. To demonstrate the topics that we will be discussing, we will create a site that will enable a user to log in, log out, register and manage passwords.

The site

We will not be developing a large site here, but if we were, the overarching issue would be site structure; in other words, how the files are organized on the server. Why is this important? Proper site structure is intended to improve security and administration of a site, as well as to promote scalability, portability, and ease of modifications.

For this reason, it is (in my view) very important to properly organize a site. I’ve personally seen many developers throw all the site files into one folder, resulting in a folder that contains zillions of items (and, to be frank, I myself was guilty of this at one stage). I often wondered how such a project is managed. Getting into a routine of developing and following an organization scheme will save a lot of work over the long run.

The key to good site structure is to modularize your code and applications according to purpose and function. For example, I usually have a layout that includes a primary folder, which then contains an image folder, a folder for classes, another for functions, and so on. This is only a guide; you can of course alter and even improve on my suggestion. But this kind of layout has always worked very well for me.

As a security measure it is advisable that you use personalized names for your folders. Anything that makes it hard for malicious users to mess up your work is worth doing, and this small measure will go some way to achieving this. Below is an example of a site structure:



Obviously the most important file in the whole setup is the configuration file. This is the file that will contain all the sensitive data, such as passwords, usernames and a host of other files that are required for database connections and the like. These kinds of files should actually be placed outside the root directory, for obvious reasons. My configuration files are usually called config.inc or config.php and typically look something like this:

<?

// ***** config.php *****

// Developed by David Web

// Contact: admin@mysite.co.uk

// Created 20 May 2008

// This is the configuration file for the

// Login System at www.mysite.co.uk


session_start();

$title = "My Application Title";

$version = "3.0";


//database connection

$bdhost="localhost";

$dbuser="root";

$dbpass="pass";

$dbname="users";


$db = mysql_connect($dbhost,$dbuser,$dbpass) or die(mysql_error());

mysql_select_db($dbname) or die("mysql_error());

//set useful variables

$month_names = array("","January","February","March","April","May","June","July","August",
"September","October","November","December");


//set useful variables

$td = date("Y-m-d");

$date_time =date("Y-m-d h:i:s");

?>

One of the things that a file such as this does is enable you to make global changes to the site by modifying only one page.

Now that you have an idea of how you can organize your site, let’s move on and build the database for the site. Basically the database will contain a table called "users," which in turn will contain information about users. The idea is that users will be authenticated using this table. So, create a table with the following structure and information:

#

# Table structure for table `users`

#


CREATE TABLE `users` (

`uid` int(4) NOT NULL auto_increment,

`uname` varchar(50) NOT NULL,

`pw` varchar(50) NOT NULL,

`email` varchar(50) NOT NULL,

PRIMARY KEY (`uid`)

) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;


#

# Dumping data for table `users`

#


INSERT INTO `users` VALUES (1, ‘david’, ‘pass’, ‘david@web.com’);

{mospagebreak title=Form Data Security}

We will come back to the database a little later on. Let’s take a closer look at form data. Since our little application will be using forms a lot, it is only prudent to look at the security challenges that forms offer.

So what do we mean by “Form Data”? Well, form data refers to any information that comes from a form. A form is the most common way in which information is collected from a user on the Internet. Form data is sent using either the GET or POST request method. When you create an HTML form, you specify the request method in the method attribute of the form tag:

<form action="process.php" method="GET">

When the GET request method is specified, as this example shows, the browser sends the form data as the query string of the URL. For example, consider the following form:

<form name="form1" method="get" action="login.php">

<table width="41%" border="0" align="center" cellpadding="0" cellspacing="3">

<tr class="listtop">

<td colspan="3">Login Status:<? if(isset($msg)){

echo "$msg";

}elseif(isset($reg)){

echo "$reg";

}?></td>

</tr>

<tr>

<td width="9%">Username</td>

<td width="41%"><input name="uname" type="text" id="uname" size="50"></td>

<td width="50%" rowspan="4">&nbsp;</td>

</tr>

<tr>

<td>Password</td>

<td><input name="upass" type="text" id="upass" size="50">

<input type="hidden" name="key" /></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><a href="../password.php">Forgotten your password?</a>|<a href="register.php">Register</a></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><input type="submit" name="Submit" value="Login"></td>

</tr>

</table>

</form>

If I enter the username leidago and the password generic , I arrive at http://localhost/login.php?username=david&password=pass after submitting the form. The simplest valid HTTP/1.1 request for this URL is as follows:

GET /login.php?username=david&password=pass HTTP/1.1

Host: localhost

So, do you really need an HTML form to request this URL? No, not at all. In fact, there is no difference between a GET request sent as the result of a user submitting an HTML form and one sent as the result of a user clicking a link.

{mospagebreak title=POST Method}

Using the same form, let’s take a look at the POST method:

<form name="form1" method="post" action="login.php">

<table width="41%" border="0" align="center" cellpadding="0" cellspacing="3">

<tr class="listtop">

<td colspan="3">Login Status:<? if(isset($msg)){

echo "$msg";

}elseif(isset($reg)){

echo "$reg";

}?></td>

</tr>

<tr>

<td width="9%">Username</td>

<td width="41%"><input name="uname" type="text" id="uname" size="50"></td>

<td width="50%" rowspan="4">&nbsp;</td>

</tr>

<tr>

<td>Password</td>

<td><input name="upass" type="text" id="upass" size="50">

<input type="hidden" name="key" /></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><a href="../password.php">Forgotten your password?</a>|<a href="register.php">Register</a></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><input type="submit" name="Submit" value="Login"></td>

</tr>

</table>

</form>

If we specify david as my username and pass as my password, I arrive at http://localhost/login.php after submitting the form. The form data is in the content of the request rather than in the query string of the requested URL. The simplest valid HTTP/1.1 request that illustrates this is as follows:

POST /login.php HTTP/1.1

Host: localhost

Content-Type: application/x-www-form-urlencoded

Content-Length: 15


username= david&password=pass


You have now seen the predominant ways in which a user provides data to your applications. It should be easy for you to see how attackers can take advantage of your forms and URLs by using these as openings to your applications.

Of the two methods, the POST method is used the most. It provides (as is evident from the demonstrations above) a safer medium of transporting data in that it hides rather than reveals the actual form data to the user.

{mospagebreak title=Closing the Vulnerability}

So how can you close this security vulnerability? Forms reveal quite a bit of information about what information an application uses, to say nothing of how it uses this information. Just from our example form above, a hacker will know that the application requires a username and password. He or she will now be able to experiment to find out if your application filters this data and also if any other security measures are implemented. This kind of attack is made easier by the GET method because of its very visible nature.

So to deny the hacker an easy ride, try not to use the GET method; in fact, try to avoid it if possible. The next step in trying to secure your application is to filter your form data. By filtering, I mean inspecting it and making sure that it is valid. For example, if you are expecting to get a number through a form, it is worth checking to see that you DID get a number instead of a string.

Filtering is necessary because any data that does not originate from you should be considered untrustworthy, because you just don’t know what that data contains. By filtering data you basically allow only valid data to pass through to your application. Below is an example of how to check if a user entered a number or string (a number is required):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title> </title>

<link href="Templates/filter.css" rel="stylesheet" type="text/css" />

</head>

<body>

<form action="test.php" method="POST">

Enter your age:

<input name="age" type="text" id="age" />

<input type="submit" />

</form>

</body>

</html>

Once the user has submitted the form, the age value will need to be filtered to see if the user has submitted a number or string:

if(is_numeric($age)){

//everything is good here

//user entered a number

echo “You entered” $age “as your age”;

}else{

//user entered a string

//error message needs to be shown to alert user

echo “Please enter a number.”;

}



In the next article we will focus on building our login application using the concepts discussed here.

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan