IT SOLUTIONS
Your full service technology partner! 
-Collapse +Expand
Design
Search Design Group:

Advanced
-Collapse +Expand Design Store
PRESTWOODSTORE

Prestwood eMagazine

October Edition
Subscribe now! It's Free!
Enter your email:

   ► KBWebsite Scri...   Print This     
  From the May 2008 Issue of Prestwood eMag
 
Design Website Scripting:
Security Tips: 13 Ways to Harden Your Code
 
Posted 16 years ago on 4/15/2008 and updated 4/11/2010
Take Away:

13 things you can do to make your code more secure, general advice about the rest of it, PLUS YOUR COMMENTS and experiences.

KB100988

This article covers some of the common techniques for securing your website using coding techniques. Although I will touch on non-coding issues, the focus of this article is on your code. Adding security is about adding layers of protection. The more layers you add, the more secure your website is from hackers.

Adding security is about adding layers of protection. The more layers...the more secure.
--Mike Prestwood

It's about attitude:

  • Be Pessimistic - If you're a positive, the glass is half full, kind of person like me, train yourself to be pessimistic when it comes to security. Don't think "if a hacker", think "when".
  • Build In Security from the Beginning - Understand security risks and build in reasonable security precautions right from the start of your project. If you are retrofitting a website, focus first on public pages (pages that do not require authentication).

Non-Member Pages at Higher Risk
Although you should take precautions with all pages of a website, you should pay particular attention to public pages (pages that do not require some type of authentication). Also consider limiting the number of public pages. Review your list of public pages and see if you can convert some of them to members-only.

13 Ways To Harden Your Code!

In addition to coding techniques...proper configuration of your servers is critical!
--Mike Prestwood

The following general advice is for all languages. If you're a good developer, you can implement these concepts in your language of choice.

1. Validate Query String Length
If you know the max query sting length you use is under 80 characters, then validate the passed in query string is less than 80 characters.

2. Filter Query String Against a Blacklist
Consistently use maxlength to keep casual hackers from experimenting with your form fields. This does not prevent a hacker from posting from their website but it does help discourage the casual hacker.

  • (
  • )
  • --
  • ;
  • 0x 
  • cast 
  • create
  • declare
  • delete
  • [d_rop]
  • exe
  • go 
  • insert
  • nvarchar
  • select 
  • set
  • script
  • update

You'll have to be careful with this list as you are likely to get a lot of false positives. You may wish to have an email sent to you whenever a false is returned so you can review for false positives.

For ASP Classic, this could be a function something like...

Function IsURLSafe
 Dim TheURL
 Dim RetBool
 TheURL = Request.ServerVariables("QUERY_STRING")
 
 RetBool = True
 
 If Len(TheURL) > 100 Then
  RetBool = False
 ElseIf InStr(1, TheURL, "", vbTextCompare) > 0 Then
  RetBool = False
 ElseIf InStr(1, TheURL, "nvarchar", vbTextCompare) > 0 Then
  RetBool = False
 ElseIf InStr(1, TheURL, " 0 Then
  RetBool = False
 ElseIf InStr(1, TheURL, "/s_cript", vbTextCompare) > 0 Then
  RetBool = False
 End If
 

 IsURLSafe = RetBool
End Function

3. Validate Form Field Lengths
One trick hackers do is they simulate posting a form. They look at what you are posting (easily done with View Source in most browsers) and they experiment with what they can post. One of the tricks they use is they add onto existing form fields. Therefore, you should validate the length of your posted form fields.

4. Filter Form Fields Against a Blacklist
Similar to #2 above, filter your form fields against a blacklist. Something like the one above.

5. Use Strong Type Casting
Use strong type casting or validate variable type for any input fields (verify numbers are numbers, dates are dates, etc.) Do this EVEN when calling parameterized stored procedures.

6. Use HTML's MaxLength
Consistently use maxlength to keep casual hackers from experimenting with your form fields. This does not prevent a hacker from posting from their website but it does help discourage the casual hacker.

7. Prevent Cross Website Scripting (XXS)
Cross website scripting is posting from one website to another; sometimes known as XXS. To prevent XXS attacks, you can validate the posting data came from a valid source. For example, you can check a session variable or pass an encrypted checksum hidden field. You have to encrypt your checksum because most browsers allow you to see the form code (including hidden form fields) by viewing the source of the HTML page. For that reason, many developers prefer using session variables or other means.

8. Filter Dynamic SQL
If you build SQL statements from form fields, you should create a filter routine that checks for known hacks and call this filter prior to executing any SQL statement.

For ASP Classic, this could be something like...

Function IsSQLSafe(TheSQL)
 
 IsSQLSafe = True
 
 If InStr(1, TheSQL, "", vbTextCompare) > 0 Then
  IsSQLSafe = False
 ElseIf InStr(1, TheSQL, "union", vbTextCompare) > 0 Then
  IsSQLSafe = False
 End If
End Function

9. Limit Number of Attempts
Because hackers generally have to try many different attacks prior to finding a security vulnerability on your website, limit the number of form posts. For example, if you currently allow unlimited attempts to sign into your website, limit the number of attempts to 3 or 4 attempts and then lock at the user. You can lockout a user by temporarily banning the IP address, session ID, etc.

10. Time Limit Posts
Because hackers generally use automated software, build in a mechanism to ensure they are not posting more than once every 30 seconds. This suggestion combined with limiting the number of attempts suggested above, is a reasonable approach to limiting hackers experiments.

11. Use a Generic Security Message
Hackers study your error messages to determine how you are preventing them from abusing you (boy that was a mouthful). Make it a bit more difficult and use a single error message for security related errors. If you use error numbers (a best practice), use one error number for all security errors. If you wish, you can even build in a debug mode that uses various error numbers for security errors and a production mode that uses just one error number.

12. Use SSL
Secure Sockets Layer (SSL)  is in common use today and protect the HTTP packet (your browser uses https://www.somedomain.com. Although it's not a bad idea to use a SSL for all your forms, most programmers reserve them for when you collect sensitive information such as credit card information and for passwords.

13. Double Encryption
In addition to using SSL for the packets, good website security scrambles sensitive data in the database and makes use of whatever encryption is available in your database (double encryption).

Proper Coding Is Only Half the Solution

In addition to the layers of coding techniques discussed above, proper configuration of your servers is critical! Your network administration is important and includes the proper setup and configuration of your servers. Although a bit out of scope for this code oriented article, here are a few network administration items to review.

Updates - You know it 's critical to keep up with your  updates on your workstation. For a healthy and secure server, keep up with the available updates for your server OS, chosen database, and other applications.

Permissions and Rights - Whatever web server and database you use, make sure you understand industry best practices for permissions and rights and setup an in-house procedure that can be easily implemented and reviewed.

Firewall Filters - A good firewall in front of  your IIS or other web server can go a long way to preventing hackers. For example, AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.

That's it! I hope you enjoyed this code-centric article on adding layers of security to your websites. If you have suggestions, comments, or questions, please post them below.

More Info

KB Post:  About Paradox Table Security--Encryption
KB Post:  Web Browser, Email, and Server Security Self Tests

Linked Message Board Threads

 Steal someones php code or settings? in PHP MB Topic (1 replies)

Comments

1 Comments.
Share a thought or comment...
First Comment
Comment 1 of 6

The one that hit us referred to a javascript located at aspder.com/1.js. and nihaorr1.com/1.js. These are essentially the same attack (a cross website ASP intrusion attack). The purpose of this attack is unclear to me at this point. A post in the following thread indicated it's purpose was to protest the olympics in China. I have no idea if that's true or not but if it is, I suspect it will have the opposite affect for most people affected by this attack as terroism is terroism (although no-one dies from these types of attacks).

http://forums.iis.net/p/1148917/1867511.aspx

Here's another post concerning this attack that claims 500k websites have been infected:

http://it.slashdot.org/article.pl?sid=08/04/25/1358234

Essentially, this attack destroys your database by insertting a JavaScript link in every nvarchar field in every table. Because it overrights data, your only real recourse is to restore your database to just before the attack, find out what page they attacked and harden the security on that page. If you don't have a good backup, then you've lost data.

I'll write more soon. In the meantime, please post your thoughts and experiences here.

Posted 16 years ago

Comment 2 of 6
Security Fix

Brian Krebs on Computer Security

Hundreds of Thousands of Microsoft Web Servers Hacked

Read Article


And another...

http://isc.sans.org/diary.html?storyid=3823

Bojan Zdrnja predicts the "bad guys" will soon expand to PHP and MySQL as a variation of this attack.

Posted 16 years ago

Comment 3 of 6
i think it's also important to include a index.html file in every folder so visitors can not poke around at files.
Posted 16 years ago

Comment 4 of 6

Here's an example of a QueryString attack one of our clients received this week. It was caught by our routine.

%20And%20Cast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1...

It came from IP address 222.241.107.236 which we promptly banned.

Posted 16 years ago

Comment 5 of 6

I logged this today and want to know if it's a hack or not:

http://209.85.135.104/translate_c?hl=pt-PT&langpair=en%7Cpt&u=http://
|www.mywebsite.com/apage.asp%3Fqid%3D100084&prev=/tr
|anslate_s%3Fhl%3Dpt-PT%26q%3Djava%2Bvisitor%26tq%3DJava%2Bvisitor%26sl%
|3Dpt%26tl%3Den%26start%3D40

Posted 16 years ago

Latest Comment
Comment 6 of 6
I don't think so. Looks like a translation engine. However, I really don't know. Perhaps someone who knows for sure can post a comment.
Posted 16 years ago
 
Write a Comment...
...
Sign in...

If you are a member, Sign In. Or, you can Create a Free account now.


Anonymous Post (text-only, no HTML):

Enter your name and security key.

Your Name:
Security key = P157A1
Enter key:
Article Contributed By Mike Prestwood:

Mike Prestwood is a drummer, an author, and creator of the PrestwoodBoards online community. He is the President & CEO of Prestwood IT Solutions. Prestwood IT provides Coding, Website, and Computer Tech services. Mike has authored 6 computer books and over 1,200 articles. As a drummer, he maintains play-drums.com and has authored 3 drum books. If you have a project you wish to discuss with Mike, you can send him a private message through his PrestwoodBoards home page or call him 9AM to 4PM PST at 916-726-5675 x205.

Visit Profile

 KB Article #100988 Counter
55968
Since 4/15/2008
Go ahead!   Use Us! Call: 916-726-5675  Or visit our new sales site: 
www.prestwood.com


©1995-2024 Prestwood IT Solutions.   [Security & Privacy]