Chapter 23. Secure User Experience

An often forgotten component of a secure web application is that of the user interface. UIs are the standard way for an end user to interact with any web application. Highly specialized web applications may allow a user to interact via a CLI, a REST API, or even via an XML or JSON file. But the majority of applications and end users prefer to interact via user interface.

On the web, UIs are constrained to a small set of technologies due to browser computing model limitations. Typically these interfaces are HTML, CSS, and JavaScript, but may make use of plug-ins or applets (e.g., Java) despite security and performance limitations.

In this chapter, we won’t focus on the technologies that power a UI (e.g., JavaScript, CSS, HTML). Instead we will focus on the design, experience, and useability of the application output by these technologies, which is then interacted with via the end user. Without further ado, let’s consider some common security mistakes that developers make when producing UIs, and then evaluate potential solutions for those security gaps.

Information Disclosures and Enumeration

Both information disclosure and enumeration vulnerabilities share a common set of identifying features, and (often) stem from the need to power a UI with useful data. However, both of these vulnerabilities can be avoided or at least mitigated with smart user experience design.

Information Disclosures

The first and most important thing to consider when designing ...