daveblake.co.uk

I don’t really mean to pick on PHP, it’s just in that unfortunate position where it has become so popular any old numpty can pick up a book and suddenly he is a PHP programmer. It’s a bit like Windows - get it out the box and it runs great, give it to someone with no knowledge and a speedy internet connection and pretty soon they’ll have a box choc full of spyware, adware and general rubbish. Of course when their computer starts running slowly they never even consider it might be their fault - it’s Windows that’s crap!

PHP is the same - it’s beautiful in it’s simplicity and that’s why it’s popular and so easy to learn. As a php developer for a relatively small company I am always surprised by the number of what have become affectionately known as “bedroom” programmers. These are the people who program for a hobby and have reached the stage where they want to become professional developers. Are these self taught programmers the problem? Well, both yes and no. Bedroom programmers do no harm when they work for themselves on their own sites. However, there are a number of web companies who seem to employ devlopers and let them loose on your private data without fully understanding what qualifications are truly needed for a programmer in a business environment.

So what do these companies get wrong? Well, by all means employ the hobbyist. They’re eager to learn, they have proven they can use their own initiative. Do not let anybody go anywhere near a database connection until they can show they have at least a basic understanding of SQL Injection.
Do not let anybody anywhere near a site that needs to be secured with a login script until they have a vague understanding of Cross Site Script attacks. Do not let anyone even touch a file upload until they understand the perils and consequences of a poorly implicated script.

Obviously you may need to have your new developer performing these tasks (it’s your money after all), just make sure you check their work when they’re done. Correct any mistakes and explain why - quite often a simple proof of concept will stick in someone’s head much better a nasty telling off.

Here’s some real life examples of poorly designed scripts i’ve seen recently.

•  The Online Shop: Yes i’m not going to name it (I imagine the flaw still exists) - let’s just say this one particularly annoyed me by constantly lying about getting a particular item in stock then refusing to refund me. Simply adding /admin to the domain name displayed the admin login area. Now this login was exactly the same as one you’ve seen one thousand times before. Typing a simply apostrophe revealed a nice SQL error message - this shop was not escaping the user entered data. Modifying my login password to  ' OR 1  was enough to give be full access to their admin area. Yes just five characters gave me full access to this shop’s admin area - this was enough for me but what if someone really wanted to damage things. I suggest if you are not confident that your logins are secure you copy the above code and try for yourself.
• The Online Solicitor: Recently i’ve been moving house, part of this has involved using an online solicitor to keep me updated with progress as forms are sent back and forth. Curiousity got the better of me when browsing this site one day and I thought i’d quickly test the security. First the login test - it was secure, that’s a relief. Next to see if my login is actually secure… and that was just the problem - it wasn’t. Simply changing the URL in the address bar would let me in to any account. Changing your_account.php?case_id=110 to your_account.php?case_id=109 showed me an entirely different account. If you bother to have a login you can’t just secure that screen - you need to lock down every screen that is private. You also need to ensure that a user can only see information they are entitled to.

Obviously explaining how the above examples work could give a person with malicious intent the knowledge to cause harm to a website. However, I believe that by explaining how these very simple attacks work people can learn how to secure their own scripts.

To finish, my advice to anyone reading who considers themself to be any sort of web programmer is to make sure you understand the security implications of anything you do. Read, read, read and constantly learn whatever you can about any technologies that cross your path.

 

That’s all for today.

Dave

 

Bookmark To:

digg! | reddit | del.icio.us | Stumble Upon | furl | rojo | yahoo!

This entry was posted on Friday, January 19th, 2007 at 8:00 pm and is filed under Bits 'n Bobs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.