A web application is an application that uses an internet browser as the client. Examples include Gmail, Amazon, Facebook, LinkedInetc etc. Web applications are popular due to the commonality of web browsers allowing for relatively simple distribution and updates. Essentially, a web application can be run on any device with a web browser. However, the universality of the web browser poses a threat to the security of web applications. In 2013, 33% of disclosures were due to web application vulnerabilities . The most common risks to web application security include cross-site scripting (XSS), SQL injection, broken authentication and session management and security misconfiguration . There are many challenges to developing a secure web application, and often security is not a top priority during development. In addition, the ubiquity of the web browser as a client and the relative convenience of web application development can attract less experienced developers. However, there are a best practices that can guard against some of the most common security threats. The following guidelines ...should be followed??
Authentication commonly involves a login screen requesting a username and password to determine if the user is who he or she claims to be. An attack on authentication could involve repeatedly attempting to login by guessing common passwords. A defense against this type of attack is to lock out the user after a given number of failed attempts. Additionally, if an account is locked due to failed logins, a notification should be sent to a system administrator . Passwords and ideally usernames as well, should be sufficiently difficult to guess. The application should enforce a minimum and maximum length for passwords. NIST considers passwords shorter than 10 character to be weak . The Open Web Application Security Project (OWASP) recommends a maximum password length of 128 characters . In addition to length requirements, the application should also enforce password complexity. These requirements should be explicitly stated on the password creation and change pages. Strong passwords contain at least three of the five following character classes: lower case characters, upper case characters, numbers, punctuation, and “Special” characters . The application should implement a password expiration policy with more critical applications requiring a shorter expiration period . If a user forgets a password, the password should be reset rather than recovered and authentication should be required again after password reset. Emailing passwords should be avoided. The login page and authenticated pages must be accessed over TLS to protect the exchange of data between the client and server .
Proper password storage involves applying a one way hash to the password file and using a salt. A salt is a non secret value that causes identical passwords to hash to different values. ...