Security of a WebDev Application

I'm using WebDev 25.
My application is for doctors and so security is hugely important. I have had a consultant perform penetration testing on my app, server and database. I don't understand most of what he has come up with so we are discussing it next week. But it got me thinking.....is there any guidance on best practice for WebDev from a security perspective? Can anyone share any of their thoughts of what to do and what not to do?
I also use AWS EC2 and AWS PostgreSQL - so any best practice on the configuration of these would also be great.

1. All Files encrypted
2. Session mode
3. login with strong passwords
4. passwords stored as hashes in the DB
5. HFSQL as no hacker knows anything about it.

Probably most of the findings can be corrected at OS/IIS level, things like adding some headers , use only TLS1.2 or above, don't accept HTTP always redirect to HTTPS and so on.
At webdev side you must be carefull with the sesion hijack,to prevent this you can use session cookies.
At coding level you must be carefull with potencial SQL INJECTION problems.
Try to intercept as many errors as you can to hide the error details from the users, WHEN EXCEPTION at the project init code can help you with errors not monitored.
If your app allows upload of files be carefull with the names and types, don't allow executables, scripts and so on.
Don't use the yourproject_WEB directory or any other directory with one alias defined to store files with data, they can be accessed outside the control of your app.

This are the most comon problems, the majority of them are well documented and are the same for all web application.
Check the OWASP Top 10 site ( [owasp.org] ).

Regards

Paulo Oliveira



Edited 2 time(s). Last edit at 12/02/2021 04:10PM by pao.

Hi, as long as you are using HFSQL, an SQL injection seems to be impossible since the Manta Service is written in WINDEV's WLanguage. SQL Injection is possible mostly with C++ programs. Variables in most languages have a length and when filling more data into a variable than that, the excessive data is simply discarded. In C++ a variable is simply a memory address. Filling more data into a variable than the reserved length will overwrite the following memory space. As a hacker, you just have to find a way to execute the inserted "data".

Kind regards,
Guenter Predl
office@windev.at

If you use HEXECUTESQLQUERY and compose the query with data filled by the user the SQL INJECTION problem can occur in almost any DB type.

Sample code with potencial problems:
myqry is data source
Mysql is string="select address,zipcode from person where name='"+name_from_form+"'"
hexecutesqlquery(myqry,mysql)
hreadfirst(mywqry)
while not hout(wyqry)
info(address,zipcode)
hreadnext(myqry)
end
hcanceldeclaration(myqry)

If in the form that asks for the name you put a' union all select user_name as address, password as zipcode from user_table // probably you can see all the users /paswords.

I didn't test this code, this is only one sample of the potencial coding problems.

Regards

Paulo Oliveira



Edited 1 time(s). Last edit at 12/03/2021 01:24PM by pao.

Hi Pao,

I read that SQL Injection is not possible if you use following SQL Statement:

Mysql is string="select address,zipcode from person where name={usedname}
myqry.usedname = name_from_form
hexecutesqlquery(myqry,mysql)

Can you yonfirm this?

Regards

Stefan.

Yes it's true. I only use SQLSERVER and ORACLE. I'm assuming that PostgreSQL works the same way.
In this case the value is used as a parameter to the query and in my sample code the value is used as a string to compose the query.

Regards

Paulo Oliveira

Thanks Pao, I sent you a private message