Simple Web Security — XSS and SQL

It is alarming how frequently popular websites get hacked these days. Internet security methods are continuing to evolve, as are hackers’ methods for exploiting security vulnerabilities. Here, I’ll highlight two popular, albeit somewhat dated, types of attacks, and discuss general things developers can do to stay on top of security and resources that are available.

Cross-Site Scripting (XSS)

Cross-site scripting occurs when a user maliciously enters data that effects how the website is rendered. On social media sites, for example, when a user creates a post, data is sent to a server, and that data can be accessed and seen in as part of feeds or streams on other users’ pages. However, a knowledgeable and nefarious user could conceivably enter the a nice combination of characters that, when appearing in the HTML of other users’ pages, would cause all types of changes. Imagine, for a moment, that the text content of Facebook posts were input directly into an html div tag without being wrapped as a string. My thoughts in this case would be posting a script that causes the background of the page to turn pink, but there are much more dangerous things that could be done.

The above code is an example of some user input that could be used to gain access to other users’ information. If that line is placed in a div tag, whatever code inside the script will execute. Remember that when working online, websites usually have access to all sorts of things — the obvious, like that page’s HTML and CSS, and the less obvious, like all of a user’s cookies. If an outside user creates a successful XSS attack that steals cookies, anyone accessing the attacked website will potentially have tons of sensitive data stolen.

SQL Injection

Another common data security concern is SQL injection. SQL is a language that helps manage databases, and users can craft clever code that, if passed as inputs to a server and not stopped from executing, can lead to massive security breaches. SQL injection can be used to steal user information from databases, and was the cause of numerous security breaches in the early 2010s.

source: https://xkcd.com/327/

SQL injection attacks could also lead to databases being completely compromised. Little Bobby Tables gained popularity through the above XKCD comic, and is referenced quite frequently in tech blogs. bobby-tables.com pays homage to this comic and lists many common ways SQL injection can take place and ways to prevent SQL injection from happening.

Security and Prevention

Luckily, security is becoming increasingly important in today’s tech world, and there are several ways to mitigate the threats that are present. As a developer, it is generally a good practice to never trust client data that comes in. Also, making use of database management systems that have built-in protections is a viable option. As a developer, it is important to stay up-to-date with emerging security technologies so that client information is protected. The Open Web Application Security Project® (OWASP) is an organization that focuses on web security, and they have a pretty amazing series of cheatsheets that provide an in-depth look at different security tips and technologies for different types of exploits.

Conclusion

Web browser security should always be an important part of the design process, and there are many threats that are lurking. XSS attacks and SQL injection are two common types of attacks, and both have fairly well-known methods for prevention. However, developers must still keep aware of the different vulnerabilities that are present, how those vulnerabilities can be exploited, and how to prevent those exploits.