A few tips on website security

By • Aug 3rd, 2008 • Category: Advice

Jump to the end for my tips, or read for the entire story…

For the first time in a long while I actually had fun at my regular job. This happened Friday, and happened because I got the opportunity to take advantage of an unsecured website.

Recently at my job (I am in marketing) I have been responsible for updating our website to make it easier to maintain and navigate, and more secure. Prior to my assignment to the website, someone who knew what they were doing would have been able to view confidential company information, get credit card numbers for anyone who has ever purchased from our online store, and a list name’s and addresses for all our customers. This is extremely scary stuff since we are in a highly competitive industry.

What happened on Friday wasn’t anything this significant, but it easily could have been had the website been that type of site. On Friday my boss simply asked me to update our profile on the website of a trade show we are attending in September. One of the things I was asked to do was add the name of our trademarked products.

In doing this I wanted to add the trademark symbol ™ which is done by typing the HTML code ™. I wasn’t thinking when I did it, but later realized what had happened – a website that said I could only type 150 characters doesn’t actually check or secure what I type. Long story short, I ended up styling our entire profile (as you would a MySpace page), and was able to load dynamic content to do basically whatever I want.

Now, not only does our free profile have an amazing photo gallery and more features than one we could have upgraded to, it also gives us the name and address of every single visitor to our page, adds us to their schedule of exhibitors to see, and removes our competitors from their list if they are on there. Pretty sly for 150 characters.

How this could have been avoided:

  • Cleanse your data

I have to say the best part of my actions is they can not easily be tracked because the code I entered looks exactly like code they were already using, and can not be removed without potentially damaging everyone else’s profile.

The pages they offered were simple question and answers from each company exhibiting at the tradeshow (which means ours now stands out from the rest) so the company in charge should have made it so you could only type text.

On several websites I am developing I have it so people can upload content and make their own profile. One of the first things I had to do was make it so everything else would be stripped out. This is typically done using regular expressions or a predefined function that comes with almost every major programming language.

In their case, a single line of code could have done just that. But because they failed to do so, I am now able to run remote scripts (aka XSS/Cross Site Scripting) that could do pretty much any evil thing I want. Luckily for them, chances are no one else who visits the page would ever know the flaw exists.

  • Verify all uploaded files

Another major issue that exists with this site is they allow you to upload and post files (supposed to be only images) but they do not check to see what kind of file it is. While this doesn’t necessarily do anything harmful per say, I was able to upload and re-download a word document, and pretend like I uploaded a file when I hadn’t.

What this means is I was able to grab a file from their server because their site thought it was one I uploaded. The file I grabbed was their website configuration file, which could have given ,e endless access to their server. I did this by guessing the name and location of the file and was surprised they didn’t check to see if the file I entered was an uploaded file.

Again, this is a huge risk because anyone who knew what they were doing could take control of their entire server all because someone didn’t know to include a single line of code. In case you are wondering, I did not do anything to access or harm their server, and was kind enough to notify their webmaster about these issues.

  • Cleanse your data again

A recurring theme here, but again very important. I found another instance where the site did nothing to secure themselves from what users typed in, this time on the login page. They have it set so you type your company’s name and a password to log in. I decided to pay around with this and found they are venerable to SQL injection.

Because they did not strip unwanted characters from what I entered, I was able to log in as any company, and, if I wanted to, could have deleted their entire database. This is something I had to fix on my work’s website as well because the company who originally designed our website didn’t know jack about web security.

When user entry is used to input or read data from a database (such as validating a password), everything they type should scrubbed before you allow the query to run. I use CakePHP for most of the sites I build, which has an excellent set of functions to sanitize data. There are several ways to accomplish this in any language you use.

I would be glad to offer free consultation to anyone who has general questions about internet security. I am also available for long term consulting.


Email this author | All posts by

Leave a Reply