Web Development Security Measures – Preventing Malicious Website Attacks
With the increased accessibility to information on the Internet, web security is a vital necessity. Attacks can range from simple nuisances to dangerous compromises of sensitive data. It is important, during website development, that all possible security threats be considered to ensure adequate protection of the website as well as end users. In this article, three security issues that should be considered during web software development are presented: SQL injection, cross site scripting (XSS), and man-in-the-middle attacks.
How SQL Injection Affects Website Security
SQL injection is a technique that attacks the database of a website. By exploiting a key security vulnerability of the database, a MySQL statement is deliberately input by the user to inappropriately access or manipulate the content of the database. Websites that require some user input are vulnerable to SQL injection, such as the one below.
$name_bad = "'DELETE * FROM Products'"; $query_bad = "SELECT * FROM Customers WHERE UserName = '$name_bad'";
SQL injection occurs when an incorrect escape character, such as a single quote (‘), is added to the user input, followed by a valid MySQL statement, such as the value stored in “$name_bad”.
To prevent SQL injection, it is important that any string used in a MySQL query is safely escaped. Functions such as mysql_real_escape_string in PHP check any input string for SQL injection attacks and removes any incorrect escape characters.
Website Development Issues with XSS
Cross Site Scripting (XSS) is a method of injecting harmful code into a trusted website, thereby affecting the individual user of the website. This website, when viewed by another user, will then execute the injected code. The result of an XSS attack can be as simple as redirecting the user to another website or as dangerous as accessing sensitive information. An example of an XSS attack is shown below, where the user name in the welcome page is replaced by a script executing the statement “Hey, you are going to be hijacked!”:
http://www.yourdomain.com/welcomedir/welcomepage.php?name=<script
language=javascript>alert('Hey, you are going to be hijacked!');</script>
Typically, XSS attacks are created using a browser-side script, such as JavaScript, and injecting it into the URL of a website or as a hidden link of a message or email. The effect of XSS attacks can become very large, where information is passed unknowingly from one user to another.
There are a number of methods to prevent cross site scripting attacks during web development activities, including the following:
- Prohibit user input on web pages
- Validate input by extracting unauthorized, potentially harmful characters
- Prohibit all client-side code when developing the website.
These methods, when applied, not only help to prevent XSS attacks, but also protect against other attacks such as SQL injections.
Man-in-the Middle Attacks on Web Security
Man-in-the-middle attacks occur when a third party intercepts communication between two users. Instead of establishing a direct connection between the two, the third party creates two connections to each by intercepting host key information. Any exchanged information, including sensitive data, is first accessed and possibly manipulated by the third party, also known as an eavesdropper.
Man-in-the-middle attacks should be appropriately addressed during web software development. Preventing man-in-the-middle attacks is accomplished using techniques such as:
- Endpoint authentication mechanisms, such as SSL
- Passwords
- Secret keys
See Michael Coates’ more detailed explanation of man-in-the-middle attacks.
Conclusion
When engaging in database and website development you need to be aware of potential threats that can seriously injure your company or reputation. Knowledge of the type of security attacks that can occur is the first step in preventing them.
About the Author
Michael A. Cordova has been successfully designing and building custom database software systems since 1993 when he founded 21st Century Technologies, Inc. A student of methodologies, his custom software systems have never failed. To get started on your own custom software application complete this software development questionnaire and Michael will be in touch within 24 hours.
Follow Us
If you want to follow us you can:
- Subscribe to our RSS feed
- Follow us on Twitter
- Connect to Michael on LinkedIn
- Friend us in Facebook
- Connect on Plaxo
- Connect on MySpace
No related posts.
Tags: Security, Web Development
Hey, I came across this blog post while searching for help with JavaScript. I’ve recently switched browsers from Chrome to IE. After the change I seem to have a issue with loading JavaScript. Every time I go on a page that requires Javascript, the page freezes and I get a “runtime error javascript.JSException: Unknown name”. I cannot seem to find out how to fix the problem. Any aid is greatly appreciated! Thanks
Ossie,
I have just the tool for you and it’s not IE. Install Firefox and the Firebug plugin. You can trace the jScript code to the point of error. You can also hover the mouse over objects and see the code for the object as you pass the mouse over it, or run the cursor through the code and see the (browser rendered) page object associated with the code.
Firebug is an awesome tool, and many other tools use it as the base of theirs like http://spriteme.org/ and Yahoo’s http://developer.yahoo.com/yslow/. Spriteme merges groups of images into one image that can be addressed by coordinates in CSS thus reducing the number of HTTP requests needed for a page to load. YSlow tests your page for all attributes that causes it to load slow. More on speeding up page load times in this post: http://www.21stsoft.com/page-load-time-seo-usability/. Firebug does a lot more than this.
Firebug will save you a lot of time like it does me (and page loads).