8 May 2006
Webmasters: Secure your code!
I’ve been developing websites for several years now. In the early days, I was just playing with static HTML (see my early efforts if you fancy a laugh) but around six years ago I read a copy of Active Server Pages for Dummies, learnt how to develop dynamic, e-commerce websites and never looked back.
Writing websites powered by clever code is great, but something you should never do is compromise the security of your website or server. I can understand why Google occasionally has problems with security because their websites can be incredibly complex, but other companies should be aware of the risks involved with hiring developers who write sloppy code that could put the privacy of their customer details at risk.
A few years ago, I ordered some wine from a well known wine merchant’s website. After ordering, I noticed that my receipt simply contained my order number in the query string at the end of the URL, something like this:
As an experiment, I simply changed the
OrderNo parameter and discovered that I could view the details for every order in their database – which included the personal details of all their customers. Not only that, but I could also use the same technique to change the delivery address for any order in their system without even being logged in!
I notified the website in question – which incidentally claimed to be “totally committed to protecting your privacy” – and received my first response over one week later. “The fault was created by our old web design agency and unfortunately no one picked up on it,” explained their Online Marketing Manager, “our new agency have promised to have a secure fix in place by Friday night and it is our number one priority.” During this time, customers’ details were freely available to anyone with a bit of simple web programming knowledge and they didn’t even send me a free bottle of wine for notifying them directly instead of running to Watchdog!
Today I stumbled across another e-commerce site with several serious security flaws. I’d usually email the company whose website it was to give them some friendly advice, but I shan’t be doing that in this case because the website belongs to a competitor who ripped off the layout, graphics, content and code from one of my websites and has kindly ignored our ‘Cease and Desist’ letters!
Instead, just to ease my conscience a little bit, here are just a few tips for making sure that your website is safer than theirs.
- Don’t rely on client-side validation – most browsers allow you to switch off client-side scripting, so make sure your website handles this gracefully.
- Don’t save any uploaded files to your webspace – not even if they’re saved to folders with randomly generated names, and especially not if your users can upload scripts which can be executed – i.e. ASP, PHP, CGI, etc.
- Don’t store your customer database on your webspace – but if you absolutely have to do this, I’d suggest password protection and a random filename.
- Validate user input server-side – especially if you’re using parameters passed in via the query string or form fields to create SQL queries on the fly, otherwise your visitors could use SQL Injection to update or delete the entire contents of your database.
- Secure any admin areas properly – make sure they’re password protected so that only authorized people can access them, don’t just assume that people will never guess the URL!
I know that we can all make mistakes, but many smaller companies are hiring cheap, freelance developers who don’t care about whether their code is secure because the customer doesn’t know how to test it; by the time a security flaw is revealed, the developer’s already been paid and the company could be left with an expensive problem on their hands – especially if a malicious visitor has deleted the entire contents of their database or modified the website.
So, my final question is this: Would it be wrong of me to switch off client-side scripting in my browser, upload an ASP file to their webspace that, when executed, lists every file and folder in the root of the website, then proceed to download a copy of their files, including their customer database and confidential PDFs regarding their budgets?
(Surely that’s not wrong, is it? Not when you consider what I could have done...)
Anyway, here endeth the lesson. Any questions (or answers)?
Labels: development, personal, rant