Saturday, July 18, 2009

Web Application Security - Hacker or Knowledgeable Surfer?

If you haven’t already figured it out, my blog is all about protecting and educating you, the Internet user, from potential hackers and the ever increasing number of inexperienced web designers. That’s right, I said web designers. New social networking websites are popping up every day and are very popular with many Internet users. Whether they’re a newb or a tech savvy surfer, websites like myspace, facebook and twitter have become a powerful communication platform for everything from making plans with friends for a night out to keeping in touch with distant relatives. But beware friends, what looks like a professionally designed website may not always be professionally done.

Case in point, during my own surfing the other night I stumbled upon this networking site for local clubs and their patrons in some pretty major cities. Once you register as a member on the site, you are free to post messages and communicate with other users. You can also post pictures of yourself and your friends out partying at the sponsoring establishments. Being relatively new to the area I live in, and not really into the club scene, I decided to take a look around and see what’s out there. I got much more than I ever expected!

Secure IT!

While browsing, I realized that there were some areas of this website that were off limits to me until I sign up as a free member. Fair enough, so I click on the "Register Free" link and I am presented with a form into which I am supposed to enter my personal information. I notice the obvious straight away, there is no “https://” preceding the URL in my browsers address bar, nor is there a lock icon in the bottom right corner of my browsers status bar. So what’s that mean? Well, those 2 indicators tell me if the page I am on is using Secure Socket Layers (SSL) as a means of encrypting and protecting my personal information before I transport it over the Internet. HTTPS, or HyperText Transport Protocol Secure on port 443, is a protocol that is simply HTTP but it’s more secured as it uses SSL underneath HTTP.

Ok, so I’d already seen enough to know that I was not going to enter any of my personal data. But wait, it gets worse! This websites developer broke just about every rule of programming basics that I could think of and I was only on the site no more than 15 minutes. Since I was not going to register, I just poked around and looked at few pages when one page gives me this weird error.

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 3.51 Driver][mysqld-5.0.41-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Date'' at line 1

/scripts/dataconnection.asp, line 30

Programming Tip #1: Always create a default web page to handle the most common server errors.

So in reading the description of the error on this page, it tells me, the programmer, a few things that might be useful in debugging the problem with the code. It tells me the exact page and line number of code that caused the error. I’ve boxed out the page for reasons you will understand within a few more sentences. So for me, being a programmer of many years, I’m curious now and want to see what the problem could be. So I point my web browser to the alleged problem page to see if I can spot the source of the problem. I immediately roll my eyes and shake my head in disbelief. I can hardly believe that someone would construct a site in such a manner. I quickly disregard the multiple instances of loosely written SQL statements that are now fully exposed to SQL injection attacks. This sites developer had given me the precise name and location of the database that is the backbone behind the entire site.

I’ll spend a little time on the multiple problems with this single page because I’m shocked at what passes for proper web design these days. Another crucial mistake, the ASP programmer developed this site around a Microsoft Access database. MS Access databases (.mdb files) are the least secure databases in the world next to a flat text file.
Not only that, but these databases are easily downloaded by a user if they know its location. Since they told me the exact location openly I did just that. Well ok, only long enough to take some screen shots for this blog and then I deleted it because I am a really nice guy.

I didn’t think anyone really used MS Access for such web applications except for in school projects and pre-development pages. My recommendation if you are creating dynamic web applications is to us MySQL Server. It’s free, secure and available by most web hosts for a small additional fee. If you can spring the extra cash, go with my personal preference, Microsoft SQL Server. Budget crunch or not, there were still a few precautions that the lazy developers of this site could have taken. For one they could have moved the database outside of the hierarchy of the websites root directory. That way, the IUSR (assuming the use of IIS here) can still read and write to the database but it is not accessible to be downloaded through a web browser. Too complicated? Try this, one thing Access does provide is a few different security features to lock a database so that its contents cannot be viewed without first entering a password. Apparently this wasn’t a very important step either as I was able to open the database and view all of the personal information of more than 12,000 people in my area.

The database included first and last names, email addresses, passwords, cell phone numbers, home address etc. This in my opinion is just pure negligence on the programmer’s part and this person should be flogged and thrown off the nearest tall building. Especially in today’s society given the focus that is on identity theft. I could go on and on with this topic and I will likely come back to this as an example of basic programming do’s and don’ts. I didn’t mean to rip on the folks who created this site but it was too perfect of an example for my first blog post to pass up.

Hope you enjoyed my first post, now go tell your friends to read it too!

Happy coding,

Bill @ gnidesign


Luke said...

Great article Bill, sounds like you had a field day digging through this guy's site. I've never heard of anything being THAT insecure, having the ability to open the user database in explorer. Did you contact the club owner at all?

Anonymous said...

My personal Intro
Hi there, my friend just advised me about this online community and so I thought i would appear and consider a appear and also present myself, Seems a great internet site with a ton of associates!