Quick Tips for Form Submit Security

I never cease to be amazed at the number of supposedly ‘experienced developers’ I encounter that are not familiar with even the basic requirements of building a secure application. I am far from a security expert, but every developer building Web applications should take steps to familiarize themselves with application security.

As an introduction, I’ve jotted down a few tips for securely handling form submits. This obviously doesn’t cover everything (consider this the MINIMUM you should be doing) but these guidelines should give you a good start.

1. Force types on user submitted values. If the field is a number, convert it to a number and only allow valid number values.

2. Limit length on user submitted string values as much as possible.

3. Parse user submitted string values for dangerous characters. Some languages have functions built in for this. If your language doesn’t have built in methods, find a good library like the OWASP Java Encoder Project.

4. Use your language’s version of ‘parameterized  queries’ or ‘prepared statements’. Don’t EVER append a user submitted string to a SQL statement through string concatenation.

5. Use password hashing with a current hashing algorithm. MD5 and SHA-1 aren’t good enough. Use a method like bcrypt and properly use salting and stretching.

6. Be careful when displaying information based on ID’s or key values passed in through POST or GET parameters. It’s very simple to change these values and trick your system into revealing information that a user should not have access to.

7. NEVER EVER rely on client-side Javascript to provide any form of security for your application. You would think this would be obvious, but I have been called in to consult on several applications where this was done. (really, don’t do this…)

8. Bookmark this site: OWASP. This is one of the best resources for learning to build secure web applications. I’ve been following it for almost a decade. Warning: It can be overwhelming to those just starting out with application security. Just take it a step at a time.

Final Tip: Try to use libraries for security functions (from respectable sources of course …I suppose Microsoft counts as a respectable source). I’ve been working with application security for 15 years and I am still don’t consider myself expert enough to attempt to write my own security related code. The ‘bad guys’ are really, really smart and it takes a great deal of expertise to write systems to protect against their constantly evolving attacks.