<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>Sécuriser les applications Web</h2> <p>Puisque les applications Web sont généralement exposées à des utilisateurs potentiellement suspects, leurs développeurs doivent prendre des précautions supplémentaires afin de les sécuriser. La vulnérabilité numéro une pour les applications Web est de trop faire confiance aux clients/utilisateurs. Les clients peuvent être malveillants et transmettre des données imprévues aux applications Web, les faisant se conduire mal. S’il existe un conseil principal, ce serait:</p> <p> <center> <table> <tr> <th><b>Ne faites confiance à aucune donnée provenant d’un utilisateur !</b></th> </tr> </table> </center> </p> <p>Cela signifie vérifier l’exactitude de toutes les données/valeurs qui proviennent du client (arguments de script, champs de formulaires, « cookies », entêtes tels que « user-agent » ou « referer », etc.). Elles doivent toutes être validées et assainies avant d’être utilisées. De plus, lors de l’affichage des valeurs fournies par l’utilisateur vers le client, ou de l’utilisation de ces valeurs pour accéder à un système externe tel qu’une base de données, ces valeurs doivent être correctement échappées (ie. les caractères spéciaux ne doivent pas être interprétés). </p> <p><center><img border="0" src="/recommendations/images/command_injection.png" width="100%"></center></p> <p>Si vous développez des applications Web au CERN, <b>il vous est fortement recommandé de suivre (gratuitement) le cours <a href="/training/en/technical.shtml#sw">"Developing secure software"</a></b>. La dernière partie du cours est dédiée à la sécurité des applications Web: les vulnérabilités typiques sont montrées, et les manières de les éviter sont discutées.</p> <!-- <p>The following links contain useful advice for securing web applications:</p> <ul> <li> <a href="http://acmqueue.com/modules.php?name=Content&pa=showpage&pid=496"> Building Secure Web Applications</a></li> <li><a href="http://www.honeynet.org/papers/webapp/"> Web application threats</a> (Honeynet Project)</li> <li><a href="http://www.sans-ssi.org/top_three.pdf"> SANS top programming errors</a><br> (input validation, buffer overflow, handling integers)</li> <li><a href="http://www.sans-ssi.org/">SANS Secure Programming Assessment</a></li> <li> <a href="http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf"> NIST Special Publication 800-95</a>: Guide to Secure Web Services</li> <li>Oracle Tutorial: <a href="http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm"> Defending Against SQL Injection Attacks</a></li> <li> <a href="http://www.lboro.ac.uk/computing/security/cross-site.html"> XSS Cross-Site Scripting risks </a>(Loughborough University, UK)</li> <li> <a href="http://en.wikipedia.org/wiki/Cross-site_scripting"> XSS Cross-Site Scripting </a> (Wikipedia)</li> </ul> --> <p>Les documents suivants méritent un coup d’oeil:</p> <ul> <li> <a href="http://indico.cern.ch/getFile.py/access?contribId=120&sessionId=59&resId=0&materialId=slides&confId=18714"> Web Applications Security</a> de Romain Wartel, CERN et EGEE/OSCT</li> <li> <a href="http://indico.cern.ch/getFile.py/access?contribId=16&sessionId=3&resId=1&materialId=slides&confId=29134"> CSRF etc.</a> de Andrew McNab, Univ. de Manchester</li> </ul> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords &amp; toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" &amp; fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li>Good programming in <a href="/recommendations/en/program_c.shtml">C/C++</a>, <a href="/recommendations/en/program_java.shtml">Java</a>, <a href="/recommendations/en/program_perl.shtml">Perl</a>, <a href="/recommendations/en/program_php.shtml">PHP</a>, and <a href="/recommendations/en/program_python.shtml">Python</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/checklist_for_coders.shtml">Security checklist</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="/recommendations/en/web_applications.shtml">Securing Web applications</a></li> <li><a href="/recommendations/en/code_tools.shtml">Static code analysis tools</a></li> <li><a href="/recommendations/en/more_on_software.shtml">Further reading</a></li> </ul> <h3>For System Owners</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/rootkits.shtml">Checking for rootkits</a></li> <li><a href="https://twiki.cern.ch/twiki/bin/viewauth/CNIC/WebHome">Securing Control Systems (CNIC)</a></li> <li><a href="/recommendations/en/containers.shtml">Securing Containers & Pods</a></li> <li><a href="/rules/en/baselines.shtml">Security baselines</a></li> <li><a href="http://linux.web.cern.ch/linux/docs/linux_exploit_faq.shtml"> The CERN Linux vulnerability FAQ</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>