8 May 2006

Webmasters: Secure your code!

I’ve been developing websites for several years now. In the early days, I was just playing with static HTML (see my early efforts if you fancy a laugh) but around six years ago I read a copy of Active Server Pages for Dummies, learnt how to develop dynamic, e-commerce websites and never looked back.

Writing websites powered by clever code is great, but something you should never do is compromise the security of your website or server. I can understand why Google occasionally has problems with security because their websites can be incredibly complex, but other companies should be aware of the risks involved with hiring developers who write sloppy code that could put the privacy of their customer details at risk.

A few years ago, I ordered some wine from a well known wine merchant’s website. After ordering, I noticed that my receipt simply contained my order number in the query string at the end of the URL, something like this:

As an experiment, I simply changed the OrderNo parameter and discovered that I could view the details for every order in their database – which included the personal details of all their customers. Not only that, but I could also use the same technique to change the delivery address for any order in their system without even being logged in!

I notified the website in question – which incidentally claimed to be “totally committed to protecting your privacy” – and received my first response over one week later. “The fault was created by our old web design agency and unfortunately no one picked up on it,” explained their Online Marketing Manager, “our new agency have promised to have a secure fix in place by Friday night and it is our number one priority.” During this time, customers’ details were freely available to anyone with a bit of simple web programming knowledge and they didn’t even send me a free bottle of wine for notifying them directly instead of running to Watchdog!

Today I stumbled across another e-commerce site with several serious security flaws. I’d usually email the company whose website it was to give them some friendly advice, but I shan’t be doing that in this case because the website belongs to a competitor who ripped off the layout, graphics, content and code from one of my websites and has kindly ignored our ‘Cease and Desist’ letters!

Instead, just to ease my conscience a little bit, here are just a few tips for making sure that your website is safer than theirs.

I know that we can all make mistakes, but many smaller companies are hiring cheap, freelance developers who don’t care about whether their code is secure because the customer doesn’t know how to test it; by the time a security flaw is revealed, the developer’s already been paid and the company could be left with an expensive problem on their hands – especially if a malicious visitor has deleted the entire contents of their database or modified the website.

So, my final question is this: Would it be wrong of me to switch off client-side scripting in my browser, upload an ASP file to their webspace that, when executed, lists every file and folder in the root of the website, then proceed to download a copy of their files, including their customer database and confidential PDFs regarding their budgets?

(Surely that’s not wrong, is it? Not when you consider what I could have done...)

Anyway, here endeth the lesson. Any questions (or answers)?

Labels: , ,


Do it. Actually, I'll expand on that. Do it through an anonomizing proxy server. The extent to which they ripped off your site puts them so far out of the "Has to be handled ethically" league that the gloves should be off. In fact, you should burn the gloves, and then send them the gloves through the post without word of explanation.