Saturday, July 7, 2012

Basic Things Every Web Developer Needs To Know About Security

Lately I've seen too much bad code to put my mind at ease.Luckily this blog exists just for that, so I can rant about things.

Well, if your a web developer (this also applies to desktop developer, it's not exclusive for web developers although that is probably where it most common) the first thing you need to remember is that EVERYTHING ON THE CLIENT IS COMPROMISED.


Server Validation For Input

What does that mean exactly, it means that if you get this information from the user - you can't trust it. It doesn't matter how much validations you placed in your javascript, if you compiled it or hashed it or even made it jump through hoops before you finally processed it on your server. If you received it from the user - you must validate it on the server as well using a server-side language.

I saw numerous sites where the only validation for data was in javascript, and you can just as easily use FireBug to skip all those validations and send a badly formatted string to the server. Now, you may think it's not a big deal. "So the user will send his phone-number with letters instead of digits, what is the big deal?" Imagine if you are later parsing that number from text to actual numerical variable, if you did not catch the proper exceptions your page can crash, or worse. Which brings us to our next topic...

Proof your queries against SQL injections

In case you don't know what an SQL injection is I highly suggest you take a break from your current programming task and read more about it. Basically SQL injections is inserting code you did not intend to into your queries, code that can do harm.
Here is an example from PHP's guide about SQL injection:

Let's assume this code exists on your server:
<?php

$query  
"SELECT id, name, inserted, size FROM products
           WHERE size = '
$size'";$result odbc_exec($conn$query);
?>
Now, imagine that instead of a regular size the user would send you this string instead:
'
union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable;
--
This would basically print all the users in your system including their password.

SQL Injections can do nasty things like download all your username/passwords/credit-cards, delete it (no example, sorry) and even break down your site!

So what can you do?
There are numerous ways to protect yourself against SQL injections. It all depends on your programming language of choice. However, the 3 basic methods which are recommended for everyone (and are also listed on Wikipedia are:
1. Use escaping  - special command that disables the special meaning for characters
2. Check you data is formmated as you'd expect it to (i.e. phone number appears as phone number, name doesn't contain things it should, email is something@something.something*)
3. Limited permissions - make sure your queries use the most limited permissions as possible.

Two more noteable methods to use:
4. Use predefined formatted queries -  which don't allow much room for leeway.
5. Use frameworks/tested environments - things like Codeigniter, Wordpress, Blogger, Wikipedia, etc. Are well tested tools used by millions around the world. Most chances that they already ironed out the security bugs you haven't thought about.



Keep sensitive data on database encrypted

If someone does retrieve your database chances are this won't help very much. But it sure would make their life more difficult to decrypt the information they already have, giving you precious time to change this information on the server. I'm referring you to Coding Horror excellent post regarding which algorithm to choose (it appears at the end).

Don't Store passwords or sensitive data in client code

Last but not least, I've said this before so I'll make this one short - just don't write anything sensitive in code that will to the client like javascript or HTML, because it can be read just as easily as you wrote it.



And now, some funny sql injection pictures:
XKCD: Exploits of a Mom



 SQL Injection TShirt






1 comment:

  1. this is really a nice way to explore thing around this so now even check this one bestkreative
    thank for the post!

    ReplyDelete