๐ก๏ธ Secure Web Application Development & Hardening Lab
1๏ธโฃ Introduction
Securing web applications requires both secure coding practices and proper server hardening. In this lab, youโll implement security best practices to protect against common attacks such as SQL Injection, XSS, authentication bypass, and insecure configurations.
๐ What You Will Learn
โ Secure coding to prevent SQL Injection, XSS, CSRF, and IDOR โ Implementing strong authentication & session security โ Web server hardening & security configurations โ Using a Web Application Firewall (WAF) for protection โ Best practices for secure deployment & monitoring
2๏ธโฃ Secure Coding Practices
Preventing SQL Injection
Instead of writing raw SQL queries, use parameterized queries:
# โ Insecure (Vulnerable to SQL Injection)
cursor.execute(f"SELECT * FROM users WHERE username = '{user_input}'")
# โ
Secure (Parameterized Query)
cursor.execute("SELECT * FROM users WHERE username = ?", (user_input,))
- Why? This prevents an attacker from injecting malicious SQL statements.
Preventing Cross-Site Scripting (XSS)
Sanitize user input and encode output using HTML escaping:
from flask import escape
user_input = escape(request.form['comment'])
- Use a Content Security Policy (CSP):
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://trusted.cdn.com">
3๏ธโฃ Authentication & Session Security
Enforce Strong Password Policies
โ
Require passwords to be at least 12 characters long, with a mix of letters, numbers, and symbols.
โ
Use bcrypt or Argon2 for password hashing:
from argon2 import PasswordHasher
ph = PasswordHasher()
hashed_password = ph.hash("SecureP@ssw0rd!")
Implement Multi-Factor Authentication (MFA)
โ
Use TOTP-based authentication (e.g., Google Authenticator).
โ
Enforce session timeouts and re-authentication for sensitive actions.
4๏ธโฃ Web Server Hardening
Secure Your Web Server (Apache/Nginx)
โ Disable directory listing:
Options -Indexes
โ Prevent clickjacking attacks:
Header always set X-Frame-Options "DENY"
โ Enable HTTP Strict Transport Security (HSTS):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Disable Unnecessary HTTP Methods
Test for dangerous HTTP methods:
curl -X OPTIONS http://example.com
โ
Only allow GET, POST, and DELETE:
<LimitExcept GET POST DELETE>
deny from all
</LimitExcept>
5๏ธโฃ Deploying a Web Application Firewall (WAF)
A Web Application Firewall (WAF) helps protect against SQL Injection, XSS, and brute-force attacks.
Using ModSecurity (Apache/Nginx)
- Install ModSecurity:
sudo apt install libapache2-mod-security2 - Enable core rules:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf - Restart the web server:
sudo systemctl restart apache2
โ Alternative: Use Cloudflare WAF for managed security.
6๏ธโฃ Logging & Monitoring for Security Threats
Enable Logging in Apache/Nginx
โ Track suspicious requests in access logs:
sudo tail -f /var/log/apache2/access.log
โ Use Fail2Ban to block brute-force attempts:
sudo apt install fail2ban
โ Monitor web traffic using Open Source SIEM (e.g., Wazuh, ELK Stack).
๐ Conclusion
By completing this lab, you have:
โ
Applied secure coding practices to prevent common vulnerabilities
โ
Hardened a web server against attacks
โ
Deployed a Web Application Firewall (WAF) for protection
โ
Set up logging & monitoring to detect threats
๐ค Submission Instructions
Submit a security hardening report with:
โ
Screenshots of implemented security measures
โ
Explanation of vulnerabilities mitigated
โ
Configurations applied to the web server
๐ Next Steps: Test your hardened application using OWASP ZAP to ensure all security measures are effective!