Application

Client Input Filtering Practices

Client Input Filtering Practices

Client input filtering is needed to prevent specific attacks

Cross Site Scripting (XSS)

Cross-site scripting vulnerabilities allow malicious attackers to take advantage of web server scripts written in languages such as PHP, ASP, .NET, Perl or Java that do not adequately filter data sent along with page requests to inject JavaScript or HTML code that is executed on the client-side browser. These flaws occur anywhere a web application uses input from a user in the output it generates without validating it. Any type of variable that comes from a user or comes from a place where you do not control needs to be validated. This malicious code will appear to come from your web application when it runs in the browser of an unsuspecting user.

Note: SSL connectivity does not protect against this issue.

Best practices for prevention

In general, the following practices should be followed while developing dynamic web content:

  • Audit the affected URL and other similar dynamic pages or scripts that could be relaying untrusted malicious data from the user input.
  • If you are displaying user supplied input, the data should be displayed by a function that either escapes or converts the data into appropriate HTML.
  • Explicitly set the character set encoding for each page generated by the web server
  • Identify special characters
  • Encode dynamic output elements
  • Filter specific characters in dynamic elements
  • Examine cookies
  • For ASP.NET applications, the validateRequest attribute can be added to the page or the web.config. For example:
<>·

OR

 <system.web>
        <pages validateRequest="true" />
 </system.web>
  • Dynamic content should be HTML encoded using HTML::Entities::encode or Apache::Util::html_encode (when using mod_perl).
  • For PHP applications, input data should be validated using functions such as strip_tags and utf8_decode.
  • For PERL applications, input data should be validated using regular expressions whenever possible.

References

 

SQL Injection

Web applications that do not properly sanitize user input before passing it to a database system are vulnerable to SQL injection. This could potentially allow a malicious user to read and/or modify any data that the application has access to.

Best Practices for Prevention

  • Ensure that the script properly validates user input before passing it to the underlying database system.
  • Avoid accessing external interpreters wherever possible.
  • Use bind variables wherever possible. If not, escape all user variables.
  • Use pattern matching to verify user input is an expected value.
  • Limit access to the web account that is accessing the database.
  • Use procedures to insert records and update data; do not give the application direct access to the tables.
  • Limit application to READ-only access where possible.

References

Mobile Devices

Mobile Devices

Mobile devices are not always designed with security in mind and, as a result, are not as secure as most computers.

There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing", and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential information. 

Private Information and Mobile Device Use

We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.

To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest. 

Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.

General Guidelines for Mobile Device Use at RIT

Understand your device

  1. Configure mobile devices securely. Depending on the specific device, you may be able to:
    1. Enable auto-lock. (This may correspond to your screen timeout setting).
    2. Enable password protection.
      1. Use a reasonably complex password where possible.
      2. Avoid using auto-complete features that remember user names or passwords.You may want to use a password safe application where available.
    3. Ensure that browser security settings are configured appropriately.
    4. Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
  2. Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  3. Ensure that sensitive websites use https in your browser url on both your computer and mobile device.
  4. Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.

Use added features

  1. Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  2. Install an anti-virus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  3. Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.

General tips                

  1. Never leave your mobile device unattended.
  2. Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
  3. Include contact information with the device:
    1. On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853."Engraved on the device. Inserted into the case.
  4. For improved performance and security, register your device and connect to the RIT WPA2 network where available.

Mobile Device Disposal

Use appropriate sanitation and disposal procedures for mobile devices.  Some suggestions can be found from:

 

Subscribe to RSS - Application