Announcement

**xor** · November 28, 2009, 10:19

Re: Website Security

Originally posted by Samwho? View Post

I'm designing my first "serious" website at the moment as a bit of a personal project and I've been reading around about website security but wanted to pose my question here :)

I'm aware of the possibilities of SQL injections, JavaScript injections and cookie sniffing/spoofing and have taken a few measures I believe will work to prevent these happening (encrypting cookies (using SHA512, was using md5 but I read that it's not very secure), making sure user input gets sanitized, making most forms send information with the "post") but I'm not entirely sure if I'm being naive and missing things out...

It's the first time I've done something like this (and coincidentally my first thread on these forums) and I want to do it right so any help is appreciated :)

I've written the site using PHP and mySQL (on top of the standard HTML, CSS and JavaScript) and it uses quite a lot of AJAX too. It is not hosted yet either, using wamp to host it locally and develop it. What I'd like to know are the possibilities and measures you can take to prevent bad things from happening.

No expert here, but.

Application...?
Host OS...? You should be using Linux or BSD if you are really concerned about security.

Remember: Infosec is not a destination, it is a journey, most times with out end.

You need to be looking at each of the tools(includes OS) you are going to use to deploy your site. They will each have their own set of problems, individually, and when combined together.

You should be starting from a higher design abstract layer first. It sounds like these are the tools you want to use, and security is an afterthought. If security is a goal, then the tools you are going to use should be chosen with that in mind.

xor

**Samwho?** · November 28, 2009, 10:28

Re: Website Security

Not sure what my host OS is or is going to be, I haven't chosen a host yet. What do you mean by application?

Security was not my main concern during the design and coding process but it is obviously something I want to take an active interest in (especially since I am studying Computer System Security as a degree).

**xor** · November 28, 2009, 10:58

Re: Website Security

Originally posted by Samwho? View Post

Not sure what my host OS is or is going to be, I haven't chosen a host yet. What do you mean by application?

Security was not my main concern during the design and coding process but it is obviously something I want to take an active interest in (especially since I am studying Computer System Security as a degree).

The purpose of your website?

You are using mysql, so we are talking a DB app right...? So you are hosting a DB of all your pr0n right...?

xor

**Club81** · November 28, 2009, 14:14

Re: Website Security

Get a copy of Web Application Hacker's Handbook. It shows you the most common attacks and how to best defense against them. It's a great source -- I use it as a textbook in our Web Software Security course.

http://www.amazon.com/Web-Applicatio.../dp/0470170778

Well worth the ~$30.

**Samwho?** · November 28, 2009, 14:18

Re: Website Security

Originally posted by xor View Post

The purpose of your website?

You are using mysql, so we are talking a DB app right...? So you are hosting a DB of all your pr0n right...?

xor

It's a blogging site :) With the hope to expand it to include some sort of store and forum in the future.

The databases contain blog posts/articles and user details.

Club81, thanks, I'll take a look and see if we have it in our University library first (you never know, they have a section on hacking and IT security) but if not, I'll purchase :)

EDIT: Well whaddya know? They have 4 in stock at the library so I'll pop in on Monday and get a copy of it. Thanks!

**HighWiz** · November 28, 2009, 22:04

Re: Website Security

Originally posted by Samwho? View Post

It's a blogging site :) With the hope to expand it to include some sort of store and forum in the future.

The databases contain blog posts/articles and user details.

Club81, thanks, I'll take a look and see if we have it in our University library first (you never know, they have a section on hacking and IT security) but if not, I'll purchase :)

EDIT: Well whaddya know? They have 4 in stock at the library so I'll pop in on Monday and get a copy of it. Thanks!

Have you considered stored procedures?

Also, as far as PHP and MySQL go, what versions are we talking about?

On the JS side, are you using a framework and if so, which one? (ie: Jquery, Prototype, mootools, dojo?)

So you have no idea of where you're going to host it? Do you think it will be a dedicated server, a shared hosting account, a VPS? Honestly, each of them has their own security pros and cons, so you need to give us more to work with here.

Have you thought of using mod_rewrite?

And seriously, if you're pursuing a "Computer System Security" degree, you should have had security in mind since the beginning and all during development... Security should NOT be an after thought.

**Samwho?** · November 29, 2009, 03:26

Re: Website Security

I wouldn't call security an afterthought, it was always going to be something I looked into but not until after I'd learned mySQL and PHP.

Versions: mySQL 5.1.36 and PHP 5.3.0

I use a few of the animation functions from JQuery but that's the only framework I'm using.

I'm hoping that it will be hosted on a friend's hosting. He runs a text based online game and has kindly said I could have a portion of the space he doesn't really use for hosting my site.

mod_rewrite? To Google! (later on... got a train to catch in a sec)

I also don't know what stored procedures are, guess it's another one for Google? :)

**noid** · November 29, 2009, 10:28

Re: Website Security

Originally posted by Samwho? View Post

I wouldn't call security an afterthought, it was always going to be something I looked into but not until after I'd learned mySQL and PHP.

Versions: mySQL 5.1.36 and PHP 5.3.0

I use a few of the animation functions from JQuery but that's the only framework I'm using.

I'm hoping that it will be hosted on a friend's hosting. He runs a text based online game and has kindly said I could have a portion of the space he doesn't really use for hosting my site.

mod_rewrite? To Google! (later on... got a train to catch in a sec)

I also don't know what stored procedures are, guess it's another one for Google? :)

If you're not using stored procedures for a public facing site, you're pretty much asking to get owned.

Look at stored procedures as a proxy of sorts to prevent the client side from being able to introduce SQL injection. You're sanitizing input by basically ignoring it.

You create pre-written functions and call them rather than the SQL code directly. This prevents me, your user, from appending my own SQL to the query and having the sexy time with your database.

**Samwho?** · November 29, 2009, 11:02

Re: Website Security

noid: Would stripping user input with things like mysql_real_escape_string not protect against sql injections adequately?

EDIT: After a bit of Googling I realise there are other benefits of using stored procedures but I'm curious as to whether using php functions to sanitize your data is a good alternative for protecting against SQL injections.

**HighWiz** · November 29, 2009, 12:25

Re: Website Security

Originally posted by Samwho? View Post

noid: Would stripping user input with things like mysql_real_escape_string not protect against sql injections adequately?

EDIT: After a bit of Googling I realise there are other benefits of using stored procedures but I'm curious as to whether using php functions to sanitize your data is a good alternative for protecting against SQL injections.

What's the problem with using stored procedures? Is it too hard for you?

As for your Versions of mySQL and PHP, is that what your running locally or what you will be running on your friends box or both? Will the onerous be on you or your friend to keep the system up to date and patched?

**Samwho?** · November 29, 2009, 12:38

Re: Website Security

The versions are what I am running locally. Waiting to hear from my friends as to what versions he's running and it's up to him to keep it up to date and patched.

Trying to play around with stored procedures at the moment but not seeming to get anywhere particularly fast... Keep getting syntax errors >_> trying to figure out why.

**HighWiz** · November 29, 2009, 12:51

Re: Website Security

Originally posted by Samwho? View Post

The versions are what I am running locally. Waiting to hear from my friends as to what versions he's running and it's up to him to keep it up to date and patched.

Trying to play around with stored procedures at the moment but not seeming to get anywhere particularly fast... Keep getting syntax errors >_> trying to figure out why.

And we're talking Apache here, right? OS wise.. FreeBSD? centOS?.. what? So I'll take it that you may not end up using Stored Procedures... That being said, MySQL wise, are you using different user roles? How bout Views?... What would you say your level is as far as PHP and MySQL go?

Is the site pretty much all custom? Are you using any CMS or basing yours off of a pre-existing one?

Do you have a "launch date" yet, or is it "when everything is ready"?

Usually I tend not to offer anything in the way of productive comments on this forum, and honestly you really need to start providing more information if you want peoples help (or at least mine).

**Samwho?** · November 29, 2009, 12:57

Re: Website Security

Right, I don't know a lot (any) details about the server that it is going to be hosted on just yet, hopefully get that info tomorrow.

I believe I am using different user roles in MySQL, do you mean where you connect to the database with a specific account with just the necessary access privileges? Such as using an account that can only SELECT when that is all you need to do with that query?

No launch date, it is a "when it's ready" affair.

It's pretty much all custom so far apart from the 2-3 jQuery functions I've used for animation and making the site look a little prettier.

I started learning PHP and mySQL about a month ago so I'm distinctly average at best.

**HighWiz** · November 29, 2009, 13:08

Re: Website Security

Originally posted by Samwho? View Post

I believe I am using different user roles in MySQL, do you mean where you connect to the database with a specific account with just the necessary access privileges? Such as using an account that can only SELECT when that is all you need to do with that query?
.

You're what, like 18-19? Anything over 14 and your old enough to be able to take my question, strip it down to the good parts and plug the query into Google for the answer to what I'm talking about.

Announcement

Website Security

Website Security

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment