Security is one of those things that are normally saved for last or ignored completely when working on a website nowadays. As most people have noticed lately the amount of personal information stolen from companies just keeps growing and growing and the number of people bringing their PC's to repair shops grows evenfaster. We hear it all the time. "Anthem Inc leaks millions of customers information". "Sony leaks customer personal information and credit cards". "Citi Bank etc etc". You get the idea. And why does it happen?Alot of that has to do with how the websites are built. And not from a low level technical point, but the process of how their built. Let me elaborate.
Usually these websites are created by many developers who probably started off at the company for cheap as they were starting their careers and as the bigger the companies seem to get the cheaper they seem to want to hire employees for. I've worked for companies where within 5 years the number of senior developers dwindled almost to zero, and the number of interns nearly doubled. Then years later, as employees come and go and managers do the same, an entirely new team takes over and hacks away at that code that some young person wrote years before in order to meet deadlines and such. Then 10 years later all of those security vulnerabilities are well hidden from the same people who work on those websites. And someone out there will eventually find that vulnerability. It happens, and it's going to keep happening as talented developers usually move on from companies after a few years for better and bigger things. So before you start your next website, here's a few easy guidelines to follow to make it more difficult for you to not be a victim later down the road.
1. Validate All User Input
This is the easiest thing you can do, and the hardest as most people save it for last and then forget about it. I know, as I've done that myself. Never trust random users online. Because you never know what a user will have in mind when they go to your website. If you have any areas on your website where uses will be able to add content you will want to limit that content to exactly the format that you want. If you have a comment box, strip all HTML. No one likes to see giant red font's in comments anyhow. This also prevents script injections from occurring. If you expect numeric inputs then validate that content before you do anything else with it. And remember that validating content on the client side is not the same as validating it on the server side. You will have to do both. Many times developers just stick a maxlength property to an input an assume that everything is fantastic. Then a month later, some shady individual on the interwebs removes the maxlength field through the inspect tool, and has all kinds of fun seeing what kind of data he can enter into the system.
For example, let's say we're grabbing a numeric field from the user and posting it back to the server. We can do something like the following to make sure that it is indeed an integer.
// we're expecting an integer value
private bool IsInteger(string value)
int result = 0;
if (int.TryParse(value, out result))
If you're grabbing user content to display later, for example, in comments perhaps, then make sure to HTML encode that content. Back in the day you could head on over to MySpace and see all of the wonderful comments with videos and images and iframes to viruses and spend a good ten minutes trying to regain control of your machine. Lucky for us .NET has functions for pretty much everything nowadays. So before you save any comments, be sure that they're properly encoded.
string comment = HttpUtility.HtmlEncode(txtComment.Text.Trim();
At the end of the day you should end up with a hefty amount of content cleanup code. It sucks, but it's absolutely necessary. You can aid in the process by building your own reusable validation scripts, such as our IsInteger function above. And then you can ensure that the #1 comment down below, turns into to the #2 comment.
2. Prevent SQL Injections
A SQL Injection occurs when unwanted SQL statements are executed on your database through user input that hasn't been properly sanitized. In other words, textboxes that pretty much allow any content and get saved as such. You can prevent SQL Injections by using parameterized queries, which different frameworks have their own implementation for, so you'll need to research how to do it for your particular projects. With parameterized queries, a query plan is created on the server before it gets executed. In the past queries were constructed by appending strings together, which is a big no no. This pretty much gives users the ability to execute any queries that they see fit on the server, assuming they know the schema and such. But it's a safe bet that somewhere in that website there will be a User table. And if not then some dedicated person out there will spend a few hours trying to figure it out.
Here's an example. Let's say that you had a forgot password page on your website, and a user could enter their email in order to send a change password email. You'd query the database with something like the following:
string sql = "SELECT COUNT(*)* FROM User WHERE Email = "'" + txtemail.Text + "'";
That will work just fine, until a user tries to enter something like the following:
email@example.com' or 'x' = 'x
...and doesn't get an error message. A malicious user now knows that this site is right for the picking. It's just a matter of time until:
firstname.lastname@example.org'; DROP TABLE User;
3. Hide All Directories
The less the general public knows about your websites internal structure the better. By default your directory structure should normally be set to private. However sometimes, depending on hosting provider, that is not the case. So always make sure that all of your directories are blocked to the general public. This also prevents bots from pretty much knowing your entire websites structure and doing whatever it is they're set to do.
You should see something like this when attempting to browse a directory on your website.
4. Encrypt All Of Your Passwords
I can't count how many times I've worked on someone's websites and noticed that all user passwords were in plain text. Most encrypted text can probably be unencrypted given enough time and power, but let's not make it easy on anyone trying to do that. If someone does get a copy of your Users table, you can at least slow them down while you come up with a plan. At the very least you should make sure to hash your passwords using MD5. While it isn't the strongest, and might be the weakest actually, hashing algorithm out there, it's better than nothing having it. For a more secure experience however you should consider more sophisticated hashing algorityms like the SHA-1 algorithm.
And again, any algorithm can be bypassed given the time and power. But those extra hours or days can be more than enough to fix any backdoors, change all passwords, and notify users of the damage. In fact any sensitive data should be encrypted whenever you can. It's a slower process overall but well worth the time and effort.
5. Always Check A Users Permission Level
This is probably one of the most overlooked steps in web development. Again, I can't count how many times personal and private pages on a website were visible simply because the web developer forgot to check if the user was logged in, and instead checked the querystring for an ID. Just a few years ago a very popular bank was loading user banking information on their website by checking the email provided in the querystring. It wasn't long until hackers figured this out and began running email lists through those pages getting customer personal information. Sometimes it's that simple. Sometimes these websites are outsourced to the cheapest bidder and these issues are bound to arise.
If you're website has member only pages, then be sure that on page load you check whether the current User is logged and only load content belonging to that user. Many big security breaches (though they won't tell you) were caused by simple mistakes like these.
There's tons and tons more you can do to help secure your website and keep your data clean and your visitors safe. These are just a few of the steps that should always be taken into consideration. You're website might not be big now, as is any website when it's brand new, but maybe one day it will house millions of records for millions of users, and having a strong foundation will help resolve any issues later on that much faster.
Found this useful?