Looking for a good starting point to learn practical web security

Hi,

I am a fairly experienced programmer (normal and web) and a decent mathematician (I know university level calculus, algebra, etc. and like it ). I am now trying to set up a site that requires user authentication and am looking for a place to start.

Here's the thing. Wherever I go, I get either 1) extremely basic info that I already know (check user input, don't execute user input in scripts, etc.) or 2) Info on cryptography that is understandable, but seems like overkill (e.g. cryptography algorithms, cyphers, etc.).

While I know that cyphers, keys, etc. are needed and are at the core, I would expect that stuff to have been "done" by someone else and available somewhere in a library or something.

Am I correct in this belief? Or is the only way to learn this stuff to read such texts?
I need a practical guide to setting up and authentication system, some basic problems, etc. Can anyone help?

Thanks
PS
Sorry if this has been mentioned before, but I don't have a proper word to define my problem (therefore, I don't know what to search for)

You'd be best off reading up about it in a dummies-style way and then setting about implementing it yourself in how you think it should be done.

I recommend Bruce Schneier's book `secrets and lies` for a good grounding in most protocols etc from a simple point of view.

What language?

that could factor into it, yeah, assuming python there'll be a module, assuming perl, cpan will have something etc.

I'm a C++ guy (I'm probably gonna use that with cgi to do most of the work).

That's not much of an issue though (I'm not looking for specific API's, that should be easy enough to google). I need a book that would show me my different options and help me choose between them. For example, with regard to authentication, should I use cookies? should I have the client send user name and pass on every page? Should I use hashes? (<- this one is probably a yes) Should I use tokens?

LinuxPenguin: Does the book you mentioned cover such topics?

The book is a simply-explained outline that doesn't cover it in depth, it just explains how it works on a simple level `eg. your password is then sent to the kerberos server for inspection`. etc.

It will give you an idea of what to do, but nothing about how to do it. a good read.

I don't think there's much people can really tell you apart from the following guidlines (I'd call them rules, but not everyong follows them):
- NEVER, ever trust any user input, always validate or escape them before using them. (Yes, I know you already read this, but read the next one, and you'll see why I say this)
- Know your functions. A great example of this is the open() function in Perl, which you can use to read a file, but if the file that you're opening is based on user input, then a pipe could be used to force the server to execute arbitary commands.
- Know thy enemy. Do your best to learn of common attacks on applications written in your language, and also try and keep up to date with exploits written for applications similar to yours, and if its a new method/attack do your best to audit and patch your application.

Firstly I'm going to mention that most of my web development experience is with PHP, so take what you get from me with a pinch (or tablespoon, however much you want) of salt. Now onto basic authentication. Firstly while cookies are useful don't store user credentials in them (because cookies can be stolen, and while you may write your application very well and no XSS flaws exist in it, spyware will probably collect cookies), store a session ID (and preferably some kind of other hash/string which will act as a session password so that doing an exhaustive search of the session ID isn't possible, this piece of information could be anything from the browser name, the IP of the user, or a random associated string, but something that will stay constant for the user), because if your site starts getting a lot of visitors (lets say 10,000 concurrent users) and it is only possible to have say 100,000,000 possible session IDs then there's a 1/10000, chance that any ID they try will be correct, and while thats still a large number, its still a very feasible number to do an exhaustive search of....
I'm not sure how much research you've done, but most methods that people use to stop security holes are generally in response to a new attack/method, so I believe that knowing those is as important (if not more so) as reading about common ideas on how to implement a system.

As to what common attacks against web applications exist, the most common are XSS (Cross Site Scripting), SQL Injection (If you're using a database), and CSRF (Cros Site Request Forgeries), read up on those and you'll be fairly set....

On a closing note: think of the attacks that are possible against your script, and think of what you can do to either minimise the damage or remove the attack enirely, but try not to be over-zealous in it and get your users extremely annoyed, unless you need to.....

[EDIT]: As to books, well, most of them will be language specific, since most languages have different methods which will be easier to implement in them than another method, and any book that tries to be general enough for all languages will probably not give you enough detail for what you want, e.g. as a PHP developer I don't need to know about buffer overflows since the PPH engine handles those for me, but if you're writing web apps in C++ then you will definately need to know about them.....

Thanks a lot.
If I had rep points, I'd give them (how do u get those anyways?)
The info you gave was pretty good.
I've seen the terms (XSS, etc.) you mentioned in some books. I guess I'll read them in detail now.
You know of any resource that would give more info like that? (If there are no good sources and I should focus on trial and error, please tell me so I stop wasting my time looking )
I'd still like a book/site/anything that would give a nice overview of what can be done (basically, more of what you have in more detail).

If anyone knows of anything please tell me. If not, STFU will also work =)

The OWASP Guide is a great introduction, but as I hinted at above, it's highly language specific. As always, filter input and filter output and don't trust your users.

The best guide on SQL injection is here, CSRF and XSS aren't as much of a danger yet ( but they are picking up steam & there have been a few recent incidents affecting big sites like google and myspace ).

--Simon

CSRF is still slightly obscure, and hard to defend against, very hard sometimes. XSS ones are definately picking up, especially in their usage.

But as to them being a danger or not, they aren't as dangerous as SQL injection flaws where attackers can create shells on your server by dumping some code into a PHP file in your webserver directory, and they can not be used to directly harm your server, but they can be used to compromise (sometimes privelaged) accounts (XSS) or make them perform actions (CSRF) which they wouldn't normally perform, such as grant someone else privelages....

I'm going to have to do some looking into this myself but just in case; are there any good resources about the use of XMLHTTPRequest in XSS/CSRF exploits/attacks?

And I just realised that since the site you're injecting code into is a trusted site, you could just as easily inject ActiveX objects, or java applets and the user will probably run them since s/he trust your site.....

[EDIT]: Oh, I almost forgot, I wanted to say that a lot of big sites still are vulnerable (I know because I have done some looking, and big sites generally don't want to listen to your avice and will implement half baked solutions....anyway, thats a rant for another day), and thanks for the linkies Simon.

And if you choose to use PHP then the guide here: http://shiflett.org/php-security.pdf will help, otherwise it isn't that great.....

Thanks a lot! Very good info.
The OWASP guide is amazing.
I got the start I needed