Website Security
Wednesday, August 16, 2006 by darcoPosted in Articles, darcness, Security
I've learned quite a bit over the past year or so that I've been developing darcness, but one lesson stands out above all others: It is just staggering how many ways there are to compromise the security of a dynamic website.
Making a website secure is a surprisingly non-trivial task that requires plenty of thought and discipline. What makes it worse is that it is all too easy to create gaping security holes without realizing it.
For example, if there is a way for someone to get unsanitized HTML to display on a page on your site, then you are hosed. Why? That unsanitized HTML could very well contain a JavaScript program. If you view that page when you are logged into your site, then that JavaScript has the same access privileges you do. This is called a Cross-Site Scripting Attack. Like I said, at that point you are hosed.
But this isn't that difficult to prevent, right? Well, in theory, yes. All you have to do is make sure that all strings get converted to XML entities (or are sanitized in some other way, like with kses) before being displayed.
There are, of course, all of the obvious places you want sanitize, such as search queries, user comments, and user account info... But there are plenty of other non-obvious spots where it may be possible to get unsanitized HTML to display on a website.
That happened today when I was browing thru the user-agents of people who have visited my site today. As I was browsing, I noticed something different---a link. A clickable link. Right there in the agent list. Someone had put HTML in their user agent string!
In this case, it was simply some user-agent spam (::shiver::) but that harmless <a> tag could have just as easily been a <script> tag. Yikes!
But that's just the tip of the iceberg. Responsible web developers must also keep in mind:
To be perfectly honest, I don't think most developers of dynamic web applications are knowledgeable of these sorts of attacks, which is rather scary.
What's the moral of this story? If you are a web developer, be paranoid. Very paranoid.
Trackback from your own site.
Entries (ATOM/RSS)
Wednesday, August 16, 2006
well bro, i hate to admit this, but ifter all theese years, i have to confess: I'm a spambot. I know, its a shock to you, but please understand that i only spam the ones i love....and i love you!
BTW, would you like to make millions in real estate market?? CLICK HERE
Wednesday, August 16, 2006
You know, not many companies bother actually talking about doing proper security audits, and generally you don't notice, until one or two DO mention security audits, then it becomes conspicious in its absence.
Need to poke you sometime soon about using darcness for something, if your willing.
Wednesday, August 16, 2006
I'm feelin' the luv.
Thursday, August 17, 2006
The problem is that you are actually receiving stuff from these dirty outsiders thus tainting your virgin website. One should abstain from such activities to be truely safe :P
Friday, October 20, 2006
Well it seems like You R learning a bit about security, the major issue is that "knolage is power" and the real "computer lovers and security experts" naturaly prefer to "stay out of sight", so security is a problem but not the only problem. First off all there are no perfect system, so there will allways exist security fault's. The advise from perone, is the best advise anyone can give about security.
There are so many interesting areas on computing, so to stay out of trouble, stay out of knowing to much about security.