Security and web apps

One of the things I do on this site is to monitor requests that produce 404 errors. Originally it was for purely personal reasons (I use a URL shortener for many URLs I post so it was a way to check I’d got the URL-lengthening right), but very quickly it became obvious that script kiddies were the main source of 404 errors (one, two, three, etc). The one that still makes me laugh is the script kiddie trying to access a vulnerability in a long-since-fixed Telerik control on my web site (hello! I’m the CTO for DevExpress!).

I just read a pretty fascinating blog post by Steve Hanov – I found Security Vulnerability in your web application – which talks about getting an email from some “security consultant” saying that they’d found a security issue with his website. Pay some bounty and they’d tell you what it was. His post goes on to discuss various vulnerabilities for web apps and how you can mitigate them.

For me, there was one item that rang true for me: “Protect secret web urls”. Yep, try to go to the login page for this site and it’s been replaced by a Lorem Ipsum page. The login page has been renamed to a random-character name instead and it won’t be long before all “login-required” pages and functionality are gone, replaced with an app I run on my laptop. In essence, the web app will just serve web pages; the admin stuff will be only be available via a Windows app.

Anyway, do check out Steve’s blog post if you’re running a publicly-visible web app.

Loading similar posts...   Loading links to posts on similar topics...

No Responses

Feel free to add a comment...

Leave a response

Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.

  •  Emphasize with italics: surround word with underscores _emphasis_
  •  Emphasize strongly: surround word with double-asterisks **strong**
  •  Link: surround text with square brackets, url with parentheses [text](url)
  •  Inline code: surround text with backticks `IEnumerable`
  •  Unordered list: start each line with an asterisk, space * an item
  •  Ordered list: start each line with a digit, period, space 1. an item
  •  Insert code block: start each line with four spaces
  •  Insert blockquote: start each line with right-angle-bracket, space > Now is the time...
Preview of response