Security for Web Developers: 16: Best Practices

Blue Security Goddess

You should:

  1. Change the default user name directly in the database.
  2. Put files that contain login credentials outside your webroot.
  3. Don’t allow writable directories. (With details….)
  4. Don’t allow users to upload anything. Sorry.
  5. Avoid toxic data.
  6. Patch like mad.
  7. Use a security notification plugin like Sucuri (and actually pay attention).
  8. Change your username if the crackers find it.
  9. Consider a scanning service, or at the least a scanning plugin.
  10. Understand the particular security controls built into your programming language. (They all have them.)
  11. Don’t write your own security controls, or your own encryption. Never never never.

Security for Web Developers: 14: Burp Suite

Burp Suite

Grand Master Ninja Hacking With Burp Suite

It can seem wildly complex, but it’s actually pretty straightforward to use. There are a lot of tutorials for it, but one of my favorite presenters is Andi Fishta; his videos are very short and get right to the point.

Assignment: Watch the above video. Notice it’s numbered 06 01.

Go to Youtube for the rest: Watch through at least 06 06 (or all of them if you’re eating those two-minutes videos like cookies).

Download Burp Suite. Fire it up. Does your site use passwords? Try some brute force on your login form. Does your site have any kind of inputs? Try automated SQL injection with Burp Suite.


Security for Web Developers: 13: Testing With Hydra

THC Hydra


First, be clear that there is more than one way to password-protect a website or a directory (folder) inside a website. One is to use a database management system to control what everybody sees. Another is to use simple htaccess files to require a password. Regardless, Hydra is an app to brute-force website logins, including just about any service you can get to over the Internet.

Assignment: First, watch this video.

Note that there are more videos in this series. Click the Youtube link to find them there.

There is also a nice tutorial with some insightful comments here:

Get Hydra. Fire it up. Does your site use passwords? Try some brute force on your login form.


Security for Web Developers: 12: Mutillidae


Using Mutillidae

Mutillidae is another pre-built vulnerable web app. It’s highly aligned with the OWASP testing organization (which can take you wildly deep into the world of web app testing). You can install it side-by-side with other web apps by simply putting it in a separate sub-folder. (How does mutillidae/ sound for a name?)

Assignment: Download Mutillidae and set it up on your pen testing machine.


Security for Web Developers: 11: DVWA


Using Local Test Web Apps

You should be testing  your site. If you don’t – or even if you do – other people will. So get familiar with some of the tools of the trade. Use a local website development tool like XAMPP so you can host vulnerable websites on your security testing computer.

Using DVWA

Damn Vulnerable Web App is exactly that: a testing website that’s prebuilt for you, ready to unzip into a folder in your web root. DO NOT run your local web service (like XAMPP) with this web app installed while you are accessible from the Internet. It’s called Damn Vulnerable for a reason. Suggestion: set it up in a virtual machine.

Assignment: Download DVWA and set it up on your pen testing computer.


Security for Web Developers: 10: Defense Strategies

Strategic Defense Initiative

Security Strategy A: Put someone on it full-time.

Security Strategy B: Use a web scanning service or plugin.

  • Does your hosting provider offer a website monitoring service? (For instance, GoDaddy does.)
  • Does your platform offer free or paid monitoring plugins? (WordPress has dozens.)