What are some tips for preventing a script kiddie from harming your web site?
I believe some of you guys are really good in this…
some popular holes are:
1. SQL injection
2. javascript injection
Some popular solutions:
1. magic quote
2. check if submitted by using same host..(this is not fully secure, they can simply change the script attribute on the fly)
what else? and how to prevent it?
Observing members:
0
Composing members:
0
6 Answers
1. Don’t use SQL (saves money, too).
2. Run your site on Linux.
3. Don’t enable any software or languages you aren’t using yourself.
4. Put your server behind a NAT firewall and close down ports you aren’t using yourself.
Read up on the subject, and using as webserver Apache+Linux helps a great deal already.
Don’t trust any input you get from the user. Expect that the user is going to send you garbage data—even if script kiddies don’t, ordinary users will. Sanitize it somehow, and make sure it doesn’t contain anything inappropriate. When you interact with the database, use placeholders and parameters to pass arguments to the database, not string interpolation.
Don’t give anyone access to anything he shouldn’t have access to. Turn off all services you’re not using, and use the software firewall to block remote access to any services you’re only using internally. Make sure that users only have access to their own data, and that they can’t screw up others’ data.
Don’t assume that code you didn’t write will do the right thing. Sanity-check the things you get back from the database. Use two methods—configuration and software firewall—to lock down the services; there may be a hole in one method, but there probably won’t be a hole in the same place in both.
Make sure your code is as clean and clear as you can make it. The sort of hole that lets a hacker in is more likely to be in code that’s so messy you have to read it over 2 or 3 times to see how it works.
Ditto cwilbur.
Turn off any ports that you are not using on the server, disable non essential web services, and make sure you are running the latest stable version of any third party application, web server, database, etc. Often people fail to update these things and leave their site open to these types of vulnerabilities/exploits.
Also make sure that proper file and directory permissions are set correctly. You don’t want to give everyone rwxrwxrwx (777) at the file level or directory level that should not have them.
Good Luck!
R
Hire a security professional.
Install an intrusion detection system (hardware.)
Get audited.
PHP
If you use MySQL for your database, you must use Mysqli with prepared statements to validate user input. This is required on both the SELECT and UPDATE-type commands. Many other database extensions support this, such as PostgreSQL and SQLite3.
In order to stop Javascript injection, you have a number of options. You could either use the strip_tags or the htmlspecialchars built-in function. Htmlspecialchars translates characters like <>& to their respective entities (ie. <) while strip_tags simply removes HTML tag blocks. Another method is to use Textile or Markdown. As a Fluther user, you probably already prefer Textile, but I would recommend Markdown for any programming-related community apps like Stack Overflow.
Python with Django
I like Django. By setting up “models” of SQL tables, you are automatically securing the chance of a SQL injection. Very nice! Also included in the Django framework is the striptags template tag, which functions identically to PHP’s strip_tags command. As with PHP, you may choose to use Textile instead. Lucky for you, this has been implemented in Python as the Textile Package.
Java
If you’re making Java web applications with SQL access, you probably already know a lot about the SQL injection problem. However, a framework like JDO may still be helpful. There are Textile implementations in Java as well.
ALL Languages
To secure your apps from SQL injection in general, avoid building SQL strings from scratch. An example of this is:
query = “SELECT FROM `table` WHERE id = ” + page_id;
Using this form will make terrorists happy, and you will be murdered in your sleep by DB access programmers. Even if you Regex the hell out of it. And don’t think declaring your variable as an int will help either. Instead, read the documentation of your programming language, and look for the words “prepared statements” and “database modeling.”
Summary
You don’t need a security professional for simple web applications like Fluther. (Not to say Fluther is simple. It’s just not a bank site.) You only need to know what you’re doing and be extremely careful and detailed when programming these topics.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.