I have developed a web application using zend framework, mysql, and other client side technologies like javascript, jquery ajax, kendo grid, and so on.
I have completed development and have done several rounds of testing to make sure the functional part is correct.
Now I would like to check for the vulnerabilities in my application – vulnerabilities such as
* sql injection
* ajax vulnerabilities
* others
which I don’t know of. I would like to ask you guys how to check this and make the application secure. What methods should I use to secure my application?
You have a few options, but before you delve in to them I’d take a very good look at the Open Web Application Security Project. OWASP has some brilliant documents and guidelines.
Personally, I’d begin by conducting a full and proper code review. Rather than checking for traditional issues, take a strong look at Secure Coding practice. (Once again, OWASP has some guidelines for this)
Things such as sanitisation checking, use of eval() and so on. From here you should be able to gain some insight – if only from looking at your code from a different point of view.
You could also do some static source code analysis which may pick up some of the above issues; however these shouldn’t be the only form of source code analysis you do. It is a very good complimentary approach for a full and proper code review however. OWASP maintains a list of such tools here.
Once you’ve gained some confidence in the source code, you can begin to have a little fun! This is where ‘black box’ techniques, such as fuzzing come in to play.
I recommend using something like the Zed Attack Proxy (ZAP) – give your application a good browse, preferably locally if you’re on a shared host – or have a server that has critical applications running/is maintained elsewhere.
Try and use every bit of functionality in your site using this proxy. What this proxy can be used for, is check that any client facing parameters can’t be given malicious input that will cause a security risk. However, what this proxy can actually do is much more – and it’s worth digging in to the docs and looking at some of the advanced features.
If this still returns nothing then security really becomes an ongoing task:
- Checking error logs for suspicious entries (third parties using fuzzers, scanners or otherwise doing “peculiar” things.
- Internal Server Errors – can be a sign that someone is trying something
- Server load logs, for DoS attacks and so on.
- Keeping up to date with the security releases regarding any dependencies you’re using
Not to overplay OWASP, as I’ve referred to them numerously in this answer – but it truly is a great project, and something I think every web developer should look in to.
It’s also worth pointing out that security should be a concern as soon as the project is conceived, and if you don’t take secure coding in to account when you begin – you may have a nightmare when you’re trying to retrospectively secure an application.
Good luck!