Thursday, March 26, 2009

Identify security gaps with Tamper Data

How secure is your application? Why not perform a security audit yourself. Tamper Data is a very helpful Firefox tool to help identify security gaps your applications may have. Do you really think your hidden form fields are safe? Do you think your select list data can't be altered? Basically, all data exposed to the browser context can be altered by the end user.

Advantages of Tamper Data

  • Tamper data will show you how easy your data can be attacked. Every post parameter can be altered. This includes hidden fields and select list values.
  • Tamper data helps emphasize the data you must secure from a malicious user. Are you exposing any identifier values within the browser context? Look for these primary key values. You may find these in edit or search result screens. If you do expose sensitive keys, a malicious user may alter them as they search for sensitive data.
  • Tamper data makes it very easy for developers to quickly test your application against cross site scripting (XSS) and SQL injection attacks.
  • QA can leverage Tamper Data to identify security gaps also. This is a practice that is not very common. Tamper Data can simplify this effort.


How to setup Tamper Data

  1. From within Firefox, download: Tamper Data.
  2. After the download is complete, you may access the Tamper Data screen from either the Tools menu or View menu:

    Accessing tamper data from tools menu Accessing Tamper data from view menu, side bar sub menu
  3. Start Tamper data by clicking the "Start Tamper" button: start tamper button


  4. You can now test your application for any gaps. You may tamper with any post parameter values that appear in the right pane:tamper screen shot

Alright, so what are a few strategies for securing our data? In my next post I will discuss a few defensive programming practices to help secure your sensitive data. I'll also expose a JSTL gap that makes you vulnerable to XSS attacks.

Thursday, March 12, 2009

Prefer CSS-based designs

Are you leveraging the full potential of CSS? Traditionally, tabled-based layouts were the standard for structuring content. CSS provides many advantages that we should be leveraging today. In short, table-based designs should forever be deprecated.

Advantages for adopting CSS-based designs:

  • CSS-based designs render content better in mobile-based browsers. With mobile apps on the rise it is becoming even more important to apply CSS-based designs today on your regular browser applications. Sites designed with CSS layouts offer much better flexibility in regards to how the content is rendered on the UI. For example, given the same content you may apply a different style for your mobile based application vs your non-mobile based application.
  • Your pages will have less code and become much easier to read. No more <table>, <tr>, and <td> tags to clutter your content!
  • With less code to maintain, refactoring becomes simpler.
  • Your UI becomes more accessible.
  • Lightweight pages will be more performant.

CSS Books:

  • CSS Mastery:
    • This book was the most valuable for me. It's a quick read and their examples are very good. I typically reference their examples first when looking for solutions.
  • CSS The missing manual:
    • This is also a valuable book. This book contains much more content than the prior book and may be targeted for a more introductory audience. Their examples are also good but I typically reference the CSS Mastery examples first.

CSS Tools:

  • FireBug:
    • Arguably the best tool ever invented for Web development. Refer to the FireBug site for their CSS support features. Simply awesome for everything (debugging, JavaScript, CSS)! YSlow is also a helpful FireBug addition that provides an excellent performance report card.
  • YUI Grids CSS:
    • If you are looking for a CSS framework then this may be of value. Their base and grid styles should help with layout while their reset style will help get all browser's on an even playing field. Yahoo has a good demo of its features on their YUI Grids home page.