Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
I was at a presentation of a local user group recently. I won't give more details than that to avoid embarassing the guilty parties. However, the presenter talked about an e-commerce application being developed for the web that he had spent a year developing, and was already in production. Some of the application involved doing a database query and showing the result on the web page. When I noticed no particular care being given to escaping HTML entities, I asked point blank "What considerations are you making to avoid cross-site scripting attacks?". His response made my jaw drop (after I stopped giggling): he went into detail about the security of the cookies being sent to the browser. All of which was cool, but was exactly the wrong place to look to avoid cross-site scripting attacks, where a user can place HTML displayed to another user, and thereby execute Javascript which steals cookies and therefore identities and everything that implies.

I'm shocked. Is this typical? Are people developing "web applications" without paying attention to Bugtraq and CERT notices, or even noticing that something they might be doing might be compromising their customer's security?

A few minutes later, I asked about cookie usage, wondering if the path of the cookie was being set properly, since he reported that sometimes you get "logged out" inconsistently. It took about six tries before he had a clue what I was asking.

And then he was talking about putting entire SQL queries into a cookie to provide paging access through the result set! As if by luck, he figured out that that "might be insecure", so instead he simply puts the parameters of the query into cookies!

Clues, people. Clues. These are all things that are basic security issues: the ignorance of which results in loss of revenue or privacy, possibly undetected.

And people wonder why I'm trying to sell my code review services. {grin}

As one person left the presentation, she commented quietly to me, "I like your brain." Which I'll presume to mean that I was asking the exactly right questions, and proved that this wasn't the guy that the rest of us should be learning from for strategy.

If you design for the web, remember that it's much better to have a non-functional secure site than a non-secure functional site.

-- Randal L. Schwartz, Perl hacker


In reply to web site design, or lack thereof by merlyn

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others chilling in the Monastery: (10)
    As of 2014-07-22 11:28 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      My favorite superfluous repetitious redundant duplicative phrase is:









      Results (110 votes), past polls