This was meant to help and to give some real tips to my fellow site administrators or anyone in-charge of maintaining a government/private website especially today that a lot of hacking/defacing incidents are happening in the Philippines.
First and foremost I know that most government sites are hosted on free or substandard hosting packages because of budget constraints or "pwede na" attitude of their IT admins. Therefore resulting in low security and unavailability of updated versions of software. (note: atleast enable .htaccess or folder policies and configure it properly).
As I watch and read about these incidents, common messages given by hackers and some IT correspondents interviewed by reporters are ‘please sanitize your code’ or ‘improve your security’, but how do we exactly do that? The goal of this letter is to give pointers on how exactly to ‘sanitize code’ and ‘improve security’.
Please note that I am not an expert certified by a dozen ethical hacking certificates and keep in mind that this list is not an end all, software is always evolving but I assure that these tips will get you up and running in securing your sites.
‘Sanitize your code’
- Check GET, POST, REQUEST, COOKIE. These functions which are commonly used in forms and variable URL parameters are entry points for SQLi and XSS attacks.
Example: In PHP, use mysql_real_escape_string($_GET[‘var’])
^- can be extended on a function Learn how to use strip_slashes(), urldecode() and
preg_replace() in PHP.
- To combat those redirect urls, use strip_tags(), html entities(), etc on your content.
Tip: after every query, put strip_tags() or any other code you prefer to clean text data before displaying any content so even if content like <script> http://pastehtml.com/view/defacepage.html</script> is already in your database it will not be considered as html markup because the <script> tags will be removed.
- Do not use GET, POST, REQUEST, etc in SQL queries without cleaning them first. Use parameterized queries and stored procedures, if possible, in queries but I have yet to see government agencies that use sproc often.
Example: Do not use: $q = “SELECT * FROM table WHERE ID=’”.$_GET[‘id’].”’”; Use: $param = mysql_real_escape_string(strip_tags($_GET[‘id’])); $q = “SELECT * FROM table WHERE ID=’$param’ ”;
No comments:
Post a Comment