Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
Like this article? We recommend

The Fixes

There are a few things that the web developers could do to help prevent these types of attacks. First, all form fields should be filtered to prevent XSS attacks. This is typically as simple as filtering just the "<" and ">" characters, but can be extended beyond that to also include "&*^%%$#@!(){}[]\|';:/?.,>". The point is to think about what characters are actually needed. Second, a user should never be allowed to upload a file that could be executed on the server. In other words, an upload script should be limited to just those files that are necessary for business. In addition to this, I would suggest uploading files to a non-executable directory on the webserver (e.g. /home/files vs. /home/www/files).

Finally, any and all PHP files that are located on a server MUST be controlled and limited to those users who actually need them. Leaving the create_admin.php file open for execution is just asking for attack.

The final suggestion is to avoid the use of a cookie for the storage of sensitive data. It only takes one browser vulnerability or XSS bug to give an attacker all they need to access this data, which will subvert your protection. The best idea is to use encrypted hidden form fields based on something unique about the user or what the user knows. This can make a program much more complex, but the added security is worth it.

  • + Share This
  • 🔖 Save To Your Account