Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Web Security Improvement Ideas

I have been keeping a list of web security improvement ideas for some time now. It's a list that does not contain only my ideas but thoughts I picked up from others over the years. I have been showing the list to others lately, so I thought it would be a good idea to post it online too. I am posting it here straight from my notebook (you can probably tell from the lack of structure).

With some more work the proposed changes could help us with XSS, session hijacking, CSRF, and phishing. I think the improvements are entirely feasible, although realising them is no small task. The real question in my mind, though, is whether these improvements are sufficient to "solve" the problem of web security in its entirety. (Or at least be future-proof, i.e. compatible with future improvements that may be required.)

  • Introduce a new concept called "Secure Web Application". The main purpose of this is to make it possible to break backward compatibility. The idea is to then market Secure Web Applications as *really* secure and everything else as potentially insecure. Visually, they should appear very different than the normal browsing experience. The rest of the ideas presented here apply only to Secure Web Applications.
  • Add one new HTTP header, to contain an URI to a descriptor that contains more information about a Secure Web Application. The descriptor should allow application authors to exercise great control over what happens in a Secure Web Application. E.g. they may decide not to use client-side code at all. Or not accept Flash objects (the browser should then refuse to run them even if they appear in HTML).
  • Browsers should remember the SSL certificate of a server upon the first visit of a web site. If the certificate changes browsers must refuse to communicate with the site.
  • Only valid certificates should be acceptable for Secure Web Applications.
  • Allow some mechanism for SSL certificates to be changed/upgraded. For example, the server could keep old certificates around to use them for the transition.
  • Never use Basic authentication (because it sends passwords out in plain text). Allow only Digest authentication (does not send the passwords out at all) with mandatory server authentication (so the user knows he is at the right place).
  • Form-based authentication must be integrated into browsers, and it too must be designed not disclose passwords (e.g use Digest auth). Clients must always authenticate servers. Some prior art available here:
  • Design a mechanism for explicit log-out. And a mechanism for session timeout (in the browser). Delete all session information after it is terminated.
  • Make SSL mandatory (Secure Web Applications only, obviously).
  • No information must go out of a web application (e.g. external links must not be followed, no requests from the client-side code)). No information must go into a web application. We may need to have designated input and output areas. We may allow the application to screen requests before allowing them.
  • Separate cookies from session tokens, produce a new state maintenance RFC that is non-ambiguous. Session tokens are not to be accessed by client-side code. They mustn't be visible to the end user either. Make session tokens worthless by separating authentication from session management (e.g. require authentication to take place for every request). [Note: With some effort it is already possible to tie in session tokens to SSL session ids for added protection. But this is not portable, and I don't think SSL should be involved with session management anyway.]

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More