With all the buzz about web 2.0 and the growing open source community the importance of security is sometimes forgotten. When you want something cool and snazzy for your site and you find a open source solution, it’s easy to install the app on your site and forget about it. When the app, tool, forum, or whatever is so easy to set up, it’s easy to not think about testing it or updating it with security patches.
Cross-site scripting is a very relevant security problem on the web today. One of the big parts of web 2.0 is user interaction. That is where the problem can happen when a server takes user input and redisplays it. If the code taking the users input doesn’t properly validate it before the script uses it.
If a user were to put in certain script tags into a forum entry form and the data was not checked before being redisplayed, that forum could potentially run the script in somebody’s browser that just views the page the data was posted to.
Another example is a login form. If the input data is directly used, without validation, in a database query, someone could purposely input commands that your server would then execute.
This might not seem so bad, who cares if a little guestbook or forum app on your site is hacked, but this is a potentially big problem. One bad form on one page of your site could make your whole server vulnerable. One vulnerable could also make your database, which may run the rest of your site, vulnerable.
So how can you make sure your site is secure? VALIDATE, VALIDATE, and VALIDATE, make sure you validate all potentially malicious input data. Also make sure you check for updates. The security of your entire site could depend on it. Nobody is above being attacked. Some famous examples include big names such as MySpace and CBS News. For more real-world examples visit Wikipedia.
Leave a Reply