Security Audit / Websecurity

For general web development questions that are not specifically related to CSS HTML Validator. This includes (but is not limited to) general HTML, CSS, Accessibility, JavaScript, and SEO questions.
User avatar
Albert Wiersch
Site Admin
Posts: 3785
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX

Security Audit / Websecurity

Post by Albert Wiersch »

This person/company contacted me "out of the blue" about some potential security issues with our online web checking service.

I have addressed the major issues brought up. There was definitely an issue I overlooked that was brought to my attention - which I have fixed.

If anyone is looking for an inexpensive security audit for their site, then you may want to look into this person/company as they seem to offer a great value as far as security audit pricing is concerned. The downside is that English does not appear to be their first/primary language (website is not in English).

Contact info (translated English version):
http://translate.google.com/translate?h ... l=uk&tl=en
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
MustLive
Rank 0 - Newcomer
Posts: 1
Joined: Sat Dec 04, 2010 6:19 am

Re: Security Audit / Websecurity

Post by MustLive »

Hello Albert!

In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.

Always attend to security of all of yours web sites, web software and to security audit.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
User avatar
MikeGale
Rank VI - Professional
Posts: 726
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

Re: Security Audit / Websecurity

Post by MikeGale »

This looks interesting but I didn't initially see enough to get a good handle on it.

What are the reports like? In English? Is there an online sample of what you get?
User avatar
Albert Wiersch
Site Admin
Posts: 3785
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX

Re: Security Audit / Websecurity

Post by Albert Wiersch »

MustLive wrote:Hello Albert!

In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.
Thanks! The cross-site issue should be addressed. I am considering what to do about the weak anti-automation issue.

For people who might be interested in more details, I use PHP and was using something like this:

Code: Select all

<input id="subject" value="<?php echo($subject); ?>" name="subject" type="text">
Which is insecure because $subject could contain a script that could be executed on the end-user's system. The solution is to use the htmlspecialchars() function so embedding a script is not possible:

Code: Select all

<input id="subject" value="<?php echo(htmlspecialchars($subject)); ?>" name="subject" type="text">
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
User avatar
MikeGale
Rank VI - Professional
Posts: 726
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

Re: Security Audit / Websecurity

Post by MikeGale »

Thanks for that Albert.

I don't use PHP a lot, can you confirm I've got this right.

On your server somehow the variable $subject could contain code. So you encode the result which will disable any script links (< goes to < etc.).

This is not a direct vulnerability but a mechanism through which a compromised "variable/mutable-element" can be deployed.
User avatar
Albert Wiersch
Site Admin
Posts: 3785
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX

Re: Security Audit / Websecurity

Post by Albert Wiersch »

Hi Mike,

Yep, that sounds right.

An end user could potentially set $subject to something like this:

Code: Select all

"><script>... do something ...</script>
Which would result in the output:

Code: Select all

<input id="subject" value=""><script>... do something ...</script>" name="subject" type="text">
Which would cause the script to execute on the user's browser.

I suppose it could be used to insert nefarious code from another site and make it look like it was from our site.

Just have to remember to always use that htmlspecialchars() function wherever needed!
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
User avatar
MikeGale
Rank VI - Professional
Posts: 726
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

Re: Security Audit / Websecurity

Post by MikeGale »

I see more of the scenario you're looking at.

Thanks.

The first line of defence then, is that process that takes user input and defuses some potential hacks. (Like that code you write to make sql injection fail.)