Security is and always will be an important topic, especially in the computer world. I’ve outlined and explained some of the basic and most common forms of exploiting and what you should be keeping in mind.
Thinking outside the box
Using an application in a way that it wasn’t designed is key. Generally when using an application you’re pointed towards a set guideline, taking the road less traveled may open up security holes that a developer never bothered to think about let alone address.
CSRF (Cross-Site Request Forgery) & Session Hijacking
“Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF” [source]
At times you may require parameters within the URL, its good practice to:
- Encrypt the contents.
- Attach an expiry if using tokens of some sort (forgotten passwords), usually a good idea to include an encrypted timestamp which can be validated.
- Stay away from intrinsic naming within “Named Parameters”, e.g. “?q=” over “?query=”. While it’s not ideal it decreases the chance of someone knowing what the parameter may link to.
- Limit & Validate parameter lengths.
- Never allow for parameters to carry SSID‘s, these can be manipulated and hijacked, precautions should be considered when using access tokens for API’s, use of oAuth may not always be the key.
So you’re using a site without an SSL Cert?
Welcome to the world of session hijacking and unencrypted data being sent through the tangular tubes of the intewebz. If you’re not logging in or submitting any private information like Credit Card details via forms you’re safe enough, otherwise reconsider what information you’re submitting.
With applications like Wireshark, Cain & Abel & FireSheep a user could monitor internal network traffic and pick up the un-encrypted data being submitted to a site. This was a popular method used within public places like Internet Cafes to gain access to Facebook accounts when SSL encryption wasn’t forced. Such applications are known for assisting in the ease of caring out MITM (Man In The Middle attack)’s, although routers commonly have detection/prevention for this.
XSS (Xross-Site Scripting)
“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.”[source]
Form & Parameter Tampering
These types of exploits are probably the easiest and can be done within any half decent modern browser that supports real time editing of the DOM.
Removing inputs from a form or altering the value set can throw a spanner in an application once submitted. If some type of security / validation components aren’t in place, unexpected entries with malformed values may get saved to the database which could cause issues when being read somewhere else in the application.
SQL Injection
“SQL injection is a technique often used to attack a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).” [source]
Resources
- CakePHP has a great security component to help against some of these, lots of popular frameworks offer a form of security.
- Lots of Gems are available to make life easier in something like Ruby on Rails.
- Services like Mollom & reCAPTCHA are great for placing on contact forms.
- Stay up-to date with bug releases in your choice of Language, CMS, Framework etc. RSS & Email lists are usually available.
- Be aware of the threats available to your application.
I don’t recommend the use of any of these methods, generally applications have logs that will allow a user to see what’s occurred and the source that triggered the event.
The best way to inform is to sometimes scare.