It seems every week these days we hear a story about some online presence getting ‘hacked’. The term hacked isn’t entirely accurate though, in most cases, it’s as simple as somebody finding a flaw, or vulnerabilities, in the website's security. These flaws are not always apparent though and sometimes can exist for years before anyone even finds them (remember Heartbleed?). As such developers have to take as much care as possible when initially designing an application.
A very common vulnerability is Cross-Site Scripting (XSS). This can be when a malicious user stumbles across an unprotected text input field and enters a link that points to harmfulScript.js for example. If successful, the attacker can use that script to hijack another legitimate user’s session. They could gain access to other user’s accounts, change the contents of the webpage, or even install malware on that user’s computer. This all happens without the legitimate user knowing because as far as they are concerned, they are using the same trustworthy website that they are used to. This can be a pretty serious issue, but thankfully it is easy to fix. Simply make sure that you ‘sanitize’ any information you receive from your users. This simply makes sure that any data you receive is stored in a non-web context.
Another security flaw is Cross-Site Request Forgery (CSRF). This happens when a user logs into a frequently used account (YouTube, Facebook, etc.) and then clicks on a link to another site without logging out first. If your site is vulnerable to a CSRF attack, the new malicious website can perform less than desirable actions on the user’s behalf. Attackers can use this to spread exploits, spam users, or ruin your reputation. Fortunately, this is also pretty easy to avoid. First of all, avoid GET requests as much as possible and stick to POST requests, especially on form submissions. This alone is not enough, you should also use tokens. Tokens are issued to a user upon sign in and contain some form of identifier tied to that user. These tokens, also known as a nonce, then need to be validated every time the user submits anything. This ensures that the request is, in fact, coming from a webpage that we control.
SQL Injection is also a very common form of attack. With SQL injection, an attacker can try bits and pieces of SQL code and submit the form or action and see if the code has any effect on the website. If it does, the user can go on to extract information from the database, which includes customers, employees, company records, usernames, and passwords. An attacker can also use this to modify data (pricing, inventory, etc.), or even just drop the tables altogether which while annoying, can hopefully be recovered if regular backups are kept. This solution is also fairly simple thankfully. To work around this you should validate all input for type, length, and format. This will make sure the data is the appropriate type for the context in which it is used and if it has any characters that are potentially dangerous. You should also use parameters with stored procedures. The benefit of this is that parameter collections exist, such as SqlParameterCollection, which handles the input properly and performs various checks. If the data fails the checks, an exception is thrown.
These are just three of the most common vulnerabilities that exist. There are much more out there but thankfully with just a little bit of extra care and detail, the risks of the vulnerabilities can be minimized. Here at Palm Beach Software, we go the extra mile to ensure that every application we create exceeds the standard best practices for information security. This allows us to assure you that your data will be safe and you can be worry-free.