web application attacks and must have defence methods

Question

What is your must have defence methods to common web attacks like XSS, Sql Injection, Denial of Service, etc. ?

Edit : I collected your responses under descriptions from Wikipedia. And I add some extra questions to have a complete reference.

Sql Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

• Do not trust user input and validate it as early as possible.
• Don't build SQL from raw user input - use parameters instead.

Cross Site Scripting (XSS)

Cross-site scripting is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

• Never output or execute user-submitted content verbatim.
• HTML-encode all output.

A denial-of-service attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

I know it seems impossible to avoid denial-of-service attacks programmatically, but what you think ?

Brute Force Attacks

In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out.

• Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.
• Add a delay when the password typed in is wrong.

Some extra questions :

• What do you think about web robots that try to post inputs according to your content ? For example SO is using an image validation.

• What do you think about javascript eval function ?

• Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it.

(NOTE : Directory listing is disabled and I host this files.)

Thanks for the replies !

Answer 1

Your question covers a large scope. I'll try to give you some pointers. If you specify your question more clearly, I can give you some more specific information.

1. Never, ever trust user input. Everything that comes into your application that can be manipulated from the outside, must be validated.
2. Never store passwords in plain text in your database. Store the hash (with salt) only. Calculate the hash on the password the user gave and compare the hashes.
3. Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.
4. When using a product or framework, stay on top of the mailinglist for those products and identify security issues. When your underlying framework has a security bug, have a plan ready to upgrade.
5. When using a database do not allow everyone full access to the database (even if you limit access to the database with stored procedures). If someone only needs to read certain data, do not use an SQL-account that can also modify data.
6. Regarding your question: "Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it."
   You may think that someone cannot access your page simply because they don't know the url. This is security through obscurity and will never work in the long term. The Google index spider will simply try to walk your entire site and index every page it can access. If you have pages with sensitive information, add an authentication and authorization mechanism.

Answer 2

For XSS and SQL injection: never output or execute user-submitted content verbatim.