June 21, 2011

Posted in:

Prevent Malicious Code Injection, Sanitize User Input

Virtually all web developers and website owners face a pair of vulnerabilities which do not discriminate against web server types, programming languages, applications, or scripting languages. These easily exploitable vulnerabilities are called Cross Site Scripting (XSS) and SQL Injection. As easy as they are to exploit, for personal gain or revenge, they are equally as easy to prevent. Below I will outline each vulnerability and how to prevent them in your web application. The cause and fix for both are exactly the same.

XSS vulnerabilities typically occur when Form Fields on web pages accept characters which allow malicious users to inject HTML and/or scripts into web pages. A classic example is, your login page has a username and password field with a submit button. If vulnerable to XSS, a malicious user can inject a set of “Verify Username and Password” fields into the page, and when submitted, the verified credentials are delivered to the malicious user.

SQL Injections occur in a similar fashion, but instead of presenting false data to a user (or a myriad of other uses), it is leveraged to access a database on which the web application is reliant. This vulnerability might be used to obtain access to the data inside the database, or manipulate and change the data. One of the most famous SQL Injection attacks is where a malicious user changed the price of a rather expensive item being sold on a website to $0.01. Needless to say, they had a lot of sales that day.

The cause is a failure to perform one sole function, which should be the mantra of every developer: “sanitize the inputs”. In layman’s terms, only accept the characters absolutely required for the particular form field. For example, if the fields are first and last name, the only characters should be A-Z and a hyphen. Telephone#, only permit 0-9, hyphens, plus symbol, and if you absolutely have to, parentheses. Disallow everything else, especially < > / : ” ‘ ( ) ; ` [ ] { }. Even if some are required, encode them, restrict the others that are not. The less special characters permitted, the fewer the avenues of attack. Below are a few resources for more information.

The use of a web application firewall, such as Applicureā€™s dotDefender, is a great way to provide protection against XSS and SQL Injection attacks, as well as hundreds of other common attacks. It should not be used as a cover up for poor coding practices, as these additional technologies can be turned off, removed or placed into monitor-only.

Go back