Freelance Software Architect
Infosecurity
Exploiting web development worst practices: file upload
If I can upload a file to your website, like, for example, an avatar, a picture, or a document for review, do you protect your website from that file?
Exploiting web development worst practices: file inclusion
And then PHP code that he has written will get executed on your server. It could do almost anything. Download any file you store on the server. Change other users’ sessions, changing their preferences, putting things into their shopping cart, etc. Access the database, stealing passwords (you do store passwords encrypted, I hope?), stealing e-mail addresses, residential addresses, whatever you store on the database. It can create new files, uploading viruses or phishing websites.
Exploiting web development worst practices: SQL injection
Nobody likes to be the guy who coded the “simple” website that later compromised a whole server and was used to leech ten-thousands of dollars out of unsuspecting citizens, and thus dragged an innocent company in trouble. Or the explaining that inevitably follows. Having security audited a few custom websites lately, I got the feeling that there is a need for a resource that in a few simple lessons helps web developers make more secure sites and avoid trouble.
How to get screwed on the Internet
A few weeks ago I had a chat about the state of Internet security with a friend who runs a hosting company, and he told me that the majority of the websites they host are cracked. This is because people just install just a forum/blog/gallery/etc software, but most have no idea that such installations have to be constantly “security patched”. Then, sooner or later someone finds an exploitable bug in that particular engine, and then their website is used to send spam, facilitate phishing attacks, host viruses, or worse.
More posts about...
Keep in touch!
