Web-Application Security
Web-Application Security is something all web engineers should doubtlessly know off. I saw that most engineers out there have no idea of Web-Application Security. That is the reason I have chosen to compose this blog to make individuals mindful of in any event the fundamental and most basic sorts of assaults that programmers endeavor on Web-Applications. I will likewise disclose to you some great programming practices to anticipate such assaults.
Let's start with SQL Injection. I am sure that almost everyone has heard of this, It is when an attacker put in SQL code in forms, comments, pics or any other input that your Web Application takes, in a way so that it would get executed on your database. If an attacker can somehow accomplish this he can do severe damage to your Web-Application. He can steal, delete, or change the user data that your Web-App runs on.
However, Do You need to worry about this type of an attack?
Well, most of the time the answer is NO!! Now you must be thinking why not, well it's because 90% of the popular Web-Frameworks and ORMs out there take care SQL injection. They connect to the databases in such a way that SQL Injection simply cannot be done. But while making your Web-App be sure that SQL Injection can't be done on the framework or ORM you are using. If you are not using an ORM or a web framework my advice to you would be to use one as there are many such advantages of using a well-established framework or ORM that you didn't know of.
The next type of attack that is also very common is XSS(Cross Site Scripting). This is also a type of injection attack, but here instead of SQL, the attacker puts client side JavaScript code in forms, comments, pics or any other input that your Web-Application takes. Now unlike SQL Injection, this code is not meant to be executed on your server at all. This is simply saved on your database and whenever any user tries to view this comment, post (or wherever the JavaScript has been injected) this code get executed on that user's browser. At one time this was a very popular way to give pop-up ads on websites. Nowadays this is used to add unwanted chrome extensions or change the internet settings of a user so that it always loads some specific page whenever you open your browser.
XSS is almost obsolete nowadays this is because you can easily make your web-app XSS proof. All you have to do is before putting any data (comments, pics or any other input that attacker might put into your database) from the database into HTML use HTML encoding.
NOTE: Some Web-Framewors and ORMs do this also for you.
HTML encoding involves changing symbols used in HTML syntax to some other from so that HTML won't confuse it as syntax. On users Browser, these symbols would be converted back to their original symbols and displayed as text.
HTML encoding:
Unfortunately, to prevent this you may have to use some third party software (Maybe some web-app Firewall etc).
Let's start with SQL Injection. I am sure that almost everyone has heard of this, It is when an attacker put in SQL code in forms, comments, pics or any other input that your Web Application takes, in a way so that it would get executed on your database. If an attacker can somehow accomplish this he can do severe damage to your Web-Application. He can steal, delete, or change the user data that your Web-App runs on.
However, Do You need to worry about this type of an attack?
Well, most of the time the answer is NO!! Now you must be thinking why not, well it's because 90% of the popular Web-Frameworks and ORMs out there take care SQL injection. They connect to the databases in such a way that SQL Injection simply cannot be done. But while making your Web-App be sure that SQL Injection can't be done on the framework or ORM you are using. If you are not using an ORM or a web framework my advice to you would be to use one as there are many such advantages of using a well-established framework or ORM that you didn't know of.
The next type of attack that is also very common is XSS(Cross Site Scripting). This is also a type of injection attack, but here instead of SQL, the attacker puts client side JavaScript code in forms, comments, pics or any other input that your Web-Application takes. Now unlike SQL Injection, this code is not meant to be executed on your server at all. This is simply saved on your database and whenever any user tries to view this comment, post (or wherever the JavaScript has been injected) this code get executed on that user's browser. At one time this was a very popular way to give pop-up ads on websites. Nowadays this is used to add unwanted chrome extensions or change the internet settings of a user so that it always loads some specific page whenever you open your browser.
XSS is almost obsolete nowadays this is because you can easily make your web-app XSS proof. All you have to do is before putting any data (comments, pics or any other input that attacker might put into your database) from the database into HTML use HTML encoding.
NOTE: Some Web-Framewors and ORMs do this also for you.
HTML encoding involves changing symbols used in HTML syntax to some other from so that HTML won't confuse it as syntax. On users Browser, these symbols would be converted back to their original symbols and displayed as text.
HTML encoding:
- & is changed to &
- < is changed to <
- > is changed to >
- ' is changed to '
- " is changed to "
Unfortunately, to prevent this you may have to use some third party software (Maybe some web-app Firewall etc).
Comments
Post a Comment