People often ask me if their web site is secure. Or perhaps what things they should be looking for that may be indicative of security problems. While I can’t answer that first question completely without performing a web application review (and associated legal docs), there are definitely conclusions I can reach based on a few minutes on the site and even a short discussion with the developer(s). Listed below is what I do to get a feel for an application when I’m engaged on a security review.

  1. Look and feel

    Honestly, if a web application looks like it was coded using a GeoCities or Frontpage template, chances are pretty good that it was coded by a developer with little experience. What that means, in turn, is that there are likely to be common security issues throughout the site.

  2. Error handling

    Somewhat related to the point above, how does the site handle application errors? Does it spit out a verbose error message with a stack trace? Or does it gracefully handle the error message and display a generic message or redirect the user appropriately. Error messages are an attacker’s friend.

  3. Parameter Fields

    What kind of parameter fields does the site use, particularly in the URL? If numeric, are the parameters relative to the user or global to the application? Do file names get passed in as parameters? If so, those might susceptible to path traversal issues. Is there a routing protocol on the front-end that limits the input, or do parameters get passed to server-side code to verify format?

  4. Invalid user input

    How does the application react when I enter input that is invalid? By invalid, I mean everything from attempting to access data that isn’t mine to putting in a name in a telephone field. Depending on this, I can gauge how much effort was put into validation and sanitization.

  5. Reflected user input

    Related to the point above, how does the application display user output. If I type HTML characters in a search that are then displayed on the results page, are they HTML encoded? Django 1.0 automatically takes care of this by autoescaping all output, for example, but other frameworks don’t.

If the developers haven’t thought about these few things, it will be painfully obvious. If they have, I know that it’s going to be more difficult to find problems and they will usually be *logic errors* or *infrastructure issues*.