With the increased accessibility to information on the Internet, web security is a vital necessity. Attacks can range from simple nuisances to dangerous compromises of sensitive data. It is important, during website development, that all possible security threats be considered to ensure adequate protection of the website as well as end users. In this article, three security issues that should be considered during web software development are presented: SQL injection, cross site scripting (XSS), and man-in-the-middle attacks.
How SQL Injection Affects Website Security
SQL injection is a technique that attacks the database of a website. By exploiting a key security vulnerability of the database, a MySQL statement is deliberately input by the user to inappropriately access or manipulate the content of the database. Websites that require some user input are vulnerable to SQL injection, such as the one below.
$name_bad = "'DELETE * FROM Products'"; $query_bad = "SELECT * FROM Customers WHERE UserName = '$name_bad'";
SQL injection occurs when an incorrect escape character, such as a single quote (‘), is added to the user input, followed by a valid MySQL statement, such as the value stored in “$name_bad”.
To prevent SQL injection, it is important that any string used in a MySQL query is safely escaped. Functions such as mysql_real_escape_string in PHP check any input string for SQL injection attacks and removes any incorrect escape characters.
Website Development Issues with XSS
Cross Site Scripting (XSS) is a method of injecting harmful code into a trusted website, thereby affecting the individual user of the website. This website, when viewed by another user, will then execute the injected code. The result of an XSS attack can be as simple as redirecting the user to another website or as dangerous as accessing sensitive information. An example of an XSS attack is shown below, where the user name in the welcome page is replaced by a script executing the statement “Hey, you are going to be hijacked!”:
There are a number of methods to prevent cross site scripting attacks during web development activities, including the following:
- Prohibit user input on web pages
- Validate input by extracting unauthorized, potentially harmful characters
- Prohibit all client-side code when developing the website.
These methods, when applied, not only help to prevent XSS attacks, but also protect against other attacks such as SQL injections.
Man-in-the Middle Attacks on Web Security
Man-in-the-middle attacks occur when a third party intercepts communication between two users. Instead of establishing a direct connection between the two, the third party creates two connections to each by intercepting host key information. Any exchanged information, including sensitive data, is first accessed and possibly manipulated by the third party, also known as an eavesdropper.
Man-in-the-middle attacks should be appropriately addressed during web software development. Preventing man-in-the-middle attacks is accomplished using techniques such as:
- Endpoint authentication mechanisms, such as SSL
- Secret keys
See Michael Coates’ more detailed explanation of man-in-the-middle attacks.
When engaging in database and website development you need to be aware of potential threats that can seriously injure your company or reputation. Knowledge of the type of security attacks that can occur is the first step in preventing them.