Jaqui Greenlees

It seems that a lot of website are suffering from this particular problem, which leads me to wonder why this is so.

When I look into the records for exploits from Secunia and Sans I see that web exploits are increasing in number, with cross site scripting being the most common exploit. If we look at the site scripts named in the exploits we begin to see some commonalities. Most happen to be written in PHP, and most happen to use MySQL as the backend.

Can we honestly claim that PHP or MySQL is the reason for the exploit? I don’t think so. When the scripts themselves are examined the cause becomes much more apparent. It is a flaw in the Author(s) of the scripts work rather than in the technologies used. Most of the scripts are popular, open source, scripts readily available for download by anyone. They are written to make it easy for them to be installed and used on their website. The problems are two.
1) They tend to use relative urls within the scripts for includes and functions. If the scripts used Absolute urls instead of relative they would be less vulnerable to this type of exploit.
2) The end user input sanitization is weak to non-existent. This is the one that leave them open to the most damage. The authors of these scripts do not exclude user supplied data from parsing, allowing both cross site scripting and SQL Injection exploits.

The only real solution to this would be for people to submit bug reports to the script authors saying the dismal lack of sanitization on user supplied input is a critical security flaw in the script.

PHP and MySQL are not the only technologies that leave sites exposed to this exploit, they just happen to be the most commonly used technologies in scripts that have suffered from it.

With the rise of WEB 2.0 technologies, where websites consume services from other websites, I do fully expect that AJAX will become the “Poster Child” for cross site scripting exploits if “Web Designers” don’t smarten up and start including security in the core of their designs.

A “Web Designer” isn’t really known for doing anything but worrying about how a site looks. They are known for using code generation tools that write bad, bloated code with no attention to security issues. [ Dreamweaver being a number one culprit ]

A company wanting their corporate website revamped should immediately discard any “Web Designers” that submit quotes and only review quotes from those who identify as Website Developers and Designers. Those who use the developer term are more likely to worry about solid code that is secure first, then work on making the site look good with that code. This is the ideal solution for any website that has Client data that must be kept confidential.
[ ecommerce sites specifically, they have credit card and mailing address data being submitted to them. ]

This entry was posted on Tuesday, April 8th, 2008 at 10:33 am and is filed under Internet Security, Website Development, Website Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.