Software Development, Database
Design, SEO Services Since 1993

With the increased accessibility to information on the Internet, web security is a vital necessity. Attacks can range from simple nuisances to dangerous compromises of sensitive data. It is important, during website development, that all possible security threats be considered to ensure adequate protection of the website as well as end users. In this article, three security issues that should be considered during web software development are presented:  SQL injection, cross site scripting (XSS), and man-in-the-middle attacks.

How SQL Injection Affects Website Security

SQL injection is a technique that attacks the database of a website. By exploiting a key security vulnerability of the database, a MySQL statement is deliberately input by the user to inappropriately access or manipulate the content of the database. Websites that require some user input are vulnerable to SQL injection, such as the one below.

$name_bad = "'DELETE * FROM Products'";
$query_bad = "SELECT * FROM Customers WHERE UserName = '$name_bad'";

SQL injection occurs when an incorrect escape character, such as a single quote (‘), is added to the user input, followed by a valid MySQL statement, such as the value stored in “$name_bad”.

To prevent SQL injection, it is important that any string used in a MySQL query is safely escaped. Functions such as mysql_real_escape_string in PHP check any input string for SQL injection attacks and removes any incorrect escape characters.

Website Development Issues with XSS

Cross Site Scripting (XSS) is a method of injecting harmful code into a trusted website, thereby affecting the individual user of the website. This website, when viewed by another user, will then execute the injected code. The result of an XSS attack can be as simple as redirecting the user to another website or as dangerous as accessing sensitive information.  An example of an XSS attack is shown below, where the user name in the welcome page is replaced by a script executing the statement “Hey, you are going to be hijacked!”:

http://www.yourdomain.com/welcomedir/welcomepage.php?name=<script
language=javascript>alert('Hey, you are going to be hijacked!');</script>

Typically, XSS attacks are created using a browser-side script, such as JavaScript, and injecting it into the URL of a website or as a hidden link of a message or email. The effect of XSS attacks can become very large, where information is passed unknowingly from one user to another.
There are a number of methods to prevent cross site scripting attacks during web development activities, including the following:

• Prohibit user input on web pages
• Validate input by extracting unauthorized, potentially harmful characters
• Prohibit all client-side code when developing the website.

These methods, when applied, not only help to prevent XSS attacks, but also protect against other attacks such as SQL injections.

Man-in-the Middle Attacks on Web Security

Man-in-the-middle attacks occur when a third party intercepts communication between two users. Instead of establishing a direct connection between the two, the third party creates two connections to each by intercepting host key information. Any exchanged information, including sensitive data, is first accessed and possibly manipulated by the third party, also known as an eavesdropper.

Man-in-the-middle attacks should be appropriately addressed during web software development. Preventing man-in-the-middle attacks is accomplished using techniques such as:

• Endpoint authentication mechanisms, such as SSL
• Passwords
• Secret keys

See Michael Coates’ more detailed explanation of man-in-the-middle attacks.

Conclusion

When engaging in database and website development you need to be aware of potential threats that can seriously injure your company or reputation. Knowledge of the type of security attacks that can occur is the first step in preventing them.

About the Author

Michael A. Cordova has been successfully designing and building custom database software systems since 1993 when he founded 21st Century Technologies, Inc. A student of methodologies, his custom software systems have never failed. To get started on your own custom software application complete this software development questionnaire and Michael will be in touch within 24 hours.

Follow Us

If you want to follow us you can:

• Subscribe to our RSS feed
• Follow us on Twitter
• Connect to Michael on LinkedIn
• Friend us in Facebook
• Connect on Plaxo
• Connect on MySpace