Web Security: Best Programming Practices

[vc_row 0=””][vc_column 0=””][vc_column_text 0=””]We wrote about WordPress security on a shared hosting and what to do if you get hacked. Here we will write about general programming practices to include in your web development projects. This is a technical article so good for your development team as well as should be made standard practice in all IT concerns.

Web security is often assumed out of the box and something even the best practices can’t always cover. Its important cover all your bases and be on your toes. Websites are a complex beast and need tending to constantly.

 

1. Never Trust User Input

The basic rule for securing web application is to always filter input and escape output. Do not trust user data and always make it validate and filter properly. To validate means to verify that the data is valid while filter means to remove unwanted characters from the data. Sometimes we trust user data because we never even know it’s actually user data. For example; consider $_SERVER[‘HTTP_HOST’] which is a PHP global variable and some developers become confused that its server variable and not user data. So they used this variable in form action or site_url like

<form action=”<?= $_SERVER[‘HTTP_HOST’]?>/page”>

Or

$config[‘site_url’] = ‘HTTP://’.$_SERVER[‘HTTP_HOST’];

However a user (attacker) can modify this variable by sending a different host header. So we should avoid using $_SERVER[‘HTTP_HOST’] and use the domain name instead. E.g

$domain_name = 'mydomain.com';
$config['site_url'] = 'HTTP://'. $domain_name;

This type of security vulnerabilities leads to phishing attacks and cache poisoning.[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]

2. Understand Cross site scripting (XSS):

In this type of web security attack, an attacker executes an unwanted malicious JavaScript in the user browser. Let’s say a website contains the following input field

<input type="text" value="user" />

So an attacker comes and insert script like this

"<script>alert(‘website hacked’);</script><input type="text" value="

so it becomes

<input type="text" value="" />
<script> alert(‘website hacked’);</script>
<input type="text" value="" />

In this way attacker can execute the script he/she wants to execute and can steal user cookie, spread malwares and perform many other tasks.[/vc_column_text][vc_column_text el_class=”check-list”]

Type of cross site scripting are

The prevention for this type of web security vulnerability is to encode and properly validate user input both on the client side as well on the server side.[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]

3. Cross site request forgery (CSRF):

In this type of web security vulnerability, malicious website sends a request to a web application that a user is already authenticated against. The attacker inspects the website and finds the form action and then submit the form from a malicious website to the found action url with the desired values.
To prevent this type of security attacks always include an unpredictable token to each request and verify request again that token.[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]

4. SQL Injection:

This type of security attack arises because of security weakness which allows attacker to take control of application’s database. Thus the attacker can view, modify, delete records or even drop tables. For example, let’s say we have a website that displays student result based on the student id.
Student Id

The actual SQL query is

SELECT * FROM std_result WHERE std_id=1005

So it will fetch the user result but what if the user type 1005 or 1=1 into the box. The query will become

SELECT * FROM std_result WHERE std_id=1005 or 1=1

In this case the first condition will become false but the second condition will become true and it will fetch all the rows. The attacker can also drop the whole table if he/she types 1005; DROP table std_result; into the box.

This type of attacks can be prevented by using PDO and mysqli with strongly typed parameterized queries.[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]

5. Session Fixation

In this type of security vulnerability an attacker explicitly sets session identifier of a session for a user. It’s typically performed by making a URL like http://www.example.com/index.php...?session_name=sessionid. This URL is then passed to the victim. As soon as the victim clicks on the link, the attack is succeeded.

This type of security vulnerability can be prevented by

[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]

6. Session Hijacking:

In this type of security vulnerability an attacker gets hold of a session identifier and thus attacker becomes able to send requests as if they were the actual user. As the attacker has got the identifier, so they can perform any thing that can be done by the actual user.

We can’t really prevent session hijacking but we can make it difficult and harder to use by using strong hash identifier, setting additional entropy, changing session name from default PHPSESSID etc.

Note that the difference between session fixation and session hijacking is that of how the attacker gets access to identifier. In session fixation the identifier is set to a value that the attacker knows while in hijacking the identifier is being stolen from the user or being guessed by the attacker. The impact of both is the same.[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]

7. Patch Your Servers

Sometimes you may get hacked even when its not your fault. There have been some severe hacks recently such as Heartbleed and WannaCry. It would be very helpful when you can patch your webservers against such wide ranging hacking techniques. Kernel hardening or OS hardening is a valid technique. For large websites and business concerns, its important to patch your servers, even every week if need be. You can setup a server cron job (scheduled task) to send you list of outdated packages so you can update manually. We do this regularly for our dedicated clients.[/vc_column_text][/vc_column][/vc_row][vc_row 0=””][vc_column 0=””][vc_column_text 0=””]Finally, you can ask a software company specializing in web security to look into your setup. They will do stress tests, performance tests and penetration tests to find of any vulnerabilities. If you are looking to get your website tested then you can discuss with us.[/vc_column_text][/vc_column][/vc_row]

Tagged

Advantages of our
Web Security: Best Programming Practices

Round-the-clock Availibility

Our support staff is available 24/7 to take support calls and messages from clients.

100% Client Satisfaction

We involve client in all stages of software development to deliver satisfaction and peace of mind.

Technical Process

We hire developers that are technically strong and discuss the project thoroughly before starting.

Money Back Guarante

If you are not happy with the quality of work or we fail to achieve final technical goal, we’ll not take your money.

Long Term Commitment

We have worked with some clients for over 7 years. Our commitment and dedication is a matter of pride for us.

We Care!

We care about your investment. We will tell it straight if you are making a bad decision.

Contact us

Request a Demo

clients
Timothy de Vos

Timothy de Vos

Senior Project Manager, Characterful

Khuram, and his team, completed excellent work for us. They were professional, willing to go the extra mile and communicative. They completed the project as expected with no issues. I look forward to working with them on the next project.
rosy

Rosy Thornton

Owner, Orange Lizard

I have worked with Khuram and the team on several projects now, and they are always extremely professional, proactive and efficient in their work. The standard of work is excellent and the client has always been very happy with the result. I have no hesitation in recommending them.
Olushola Dabiri

Olushola Dabiri

Owner, Shokam Consulting Limited

The Right Software has become a dependable and valuable partner over the years. They are committed to ensuring that all tasks given to implement are carried out successfully. They never disappoint! I will surely recommend them.
david-ball

David Ball

Owner, Media Force Ltd, UK

I have been working with The Right Software for the last year and must say that the service and quality of work is outstanding! They are very quick to understand my brief and always go above and beyond to complete the job on time and on budget. I highly recommend you use The Right Software for all your future projects.
Emily House

Emily House

Manager, Mineral Systems NZ

Over the last 5 years of working with The Right Software we have found them very capable and patient. They have done a fantastic job of building a complicated system with a remote user and continue to support its development.

    NDA implied. No spam. Privacy guaranteed.