While developing and deployingapplication developer should check a checklist to secure application from attacker. With the help of automation hackers now easily find security bugs into software and it can be high severity vulnerabilities where use can take control of whole application and user data.

Following are some ways to prevent your application from getting HACKED

  • Use Https protocol, because it gives end to end encryption and no one can sniff your network and analyse request.
  • Redirect http request to https, Most of the time developer forgot to redirect http traffic into https because of that malicious user can target your customers with http url.
  • Set rate limit to url with ip binding, so it will protect you from DOS (denial of service), scraping and brute force attack.
  • Off debug mode on production environment, Most of the time developers forgot to off debug mode and it can create critical security issues.
  • Remove special characters before executing sql query, because by using simple special character combination anyone can get full control of your database and other database deployed on same server. This type of attack known as SQL injection.
  • Remove special characters before storing data into database because user may type executable javascript in input field to store data and when you retrieve same data this get executed in browser, using this attacker can get user session ids, account access and many other things. This type of attack known as XSS attack.
  • Broken Access Control allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.
  • Don’t add external javascript or css files directly into code without reviewing it.
  • Give only 3-5 attempts for user login because if don’t place any limit attacker can use brute force technique to get real credentials.
  • Validate uploaded file extension in server side and don’t store any executable file like php attacker can use this file to take your system remote access.
  • Encrypt user credentials with sha256 hash method and store it into database so even if attacker got database access he will not get users credentials.
  • Never use root user credentials for project create different mysql user with restricted privileges.
  • Use different mysql users for different project database so if one database credentials got leaked other will not get compromised.
  • MongoDB not set password by default so many developers avoid configuring password it may cause serious security issue because there are lots of tools available which scans all network and find unrestricted database like shodan.
  • If you are using google libraries api like places, map then from google cloud restrict it with same domain or mobile app package name because attacker can sniff network and find your google api key and use it.
  • Never accept price related values from front-end and process it because attacker can use tools like burp suit to sniff your request and change product price. always use server side amount for payment processing.
  • Always expire your access token in short period and create new token using refresh token so even someone got your access token it will be for short period only.
  • Never log users credentials and session id into logger.
  • Using reverse engineering attacker can retrieve source code from apk, to avoid that developer should use code obfuscation technique.

Leave a Reply