Matthew J. Kellett

Website Architect and Developer

Coding For Security

As developers we are faced with the possibility that the code we produce will someday be hacked, this is unfortunately an inevitable part of life on the web. This article will outline some of the precautions you can take to prevent most of these attacks.

There are several different types of attacks which typically used these days:

  • HTML Injection
  • SQL Injection
  • Cross Site Scripting attacks
  • Denial of Service attacks

As well as providing articles around each of these different types of attack, with examples and possible solutions, I will also provide insights into the different techniques and strategies that you can use to combat a wide range of attacks including:

  • Threat Modelling (including STRIDE and DREAD)
  • Security Training and the importance of security awareness
  • Development Life-Cycle security awareness integration

HTML Injection

To kick off the series I am going to cover the first attack type highlighted above, HTML Injection. HTML Injection attacks are simply that, attackers inject code into your pages that causes an action to occur when someone visits your page.

If you provide the functionality for people to upload code or add comments then you may be susceptible to this type of attack. For example, at the bottom of this page you have the ability to add a comment about this article, if I didn't strip out all tags and moderate the comments before they were made visible on the site then something like the example below or worse could be added to your own sites.

Example

In the following example I will highlight just how easy it is to embed JavaScript into code that is then displayed onto the page.

<a title="Test Alert" href="#htmli" onclick="alert('How cool is this?'); return false;" />

This would actually produce something like (click to see the example), however whilst this a painless attempt to inject code by simply displaying a message when someone clicks on the message, the following could prove to be a bit more annoying:

<a title="Test Alert" href="#htmli" onmouseover="alert('How cool is this?'); return false;" />

Which would cause the alert to appear every time you hover over this section.

Obviously I'm not going to put anything to detrimental into this article but you should be able to see the potential damage that someone could cause to your visitors in the event that they have the ability to add code to your site.

It is also worth noting here that links are not the only things that can be affected by HTML injection. Basically, any and all tags are susceptible to this type of attack sad smiley

Solutions

The most straight forward way to prevent this type of attack is to not allow users to upload anything to your sites, however this doesn't provide a great user experience and doesn't allow for feedback to left.

Luckily there are a few alternatives to not allowing users to upload comments etc to your site, the easiest of these alternatives is to use the PHP function strip_tags and regex to remove all tags and errornous code, leaving plain text to be displayed on the site. The snippet below shows a simple cleanse function that you can use to cleanse user input with.

<?php
function Cleanse_String($input) {
	// can also use strip_tags but there are times when that breaks (see php.net for details)

	// strip out the tags
	$cleansed = preg_replace('/<[^>]*>/', '', $input);

	// check remaining text for errornous code
	$cleansed = preg_replace('#[^a-z0-9_]#i', '', $cleansed);

	return $cleansed;
}
?>
				

Please don't rely on this function for cleaning your data, there are plenty of other checks that need to be carried out.

Another method for cleansing this output is to make use of a service that already handles this type of input, for example, the Facebook API allows you to make use of their API to add comments to your site, this is a little trickier to do than simply cleansing the output but has the added benefit of increasing social media integration for your site.

Conclusion

In conclusion, relying on users to enter "nice" values into text areas, text inputs or any other form of input is not a good idea, all user input should be checked and doubled checked before displaying it onto your website.

Keep an eye out for the other articles in this series arriving shortly cool :D Please let me know what you think about this article and if there are any aspects you want me to cover then drop me a message.

Prevent SQL Injection

Comments

There are no comments for this article

Like, follow, share us

Coding For Security

Below are the articles in this coding for security series.