Question

tantaikooi's avatar

What are some tips for preventing a script kiddie from harming your web site?

Asked by tantaikooi (119points) | asked February 5th, 2008 | 5 responses | “Great Question” (3points) | Flag as…

I believe some of you guys are really good in this…

some popular holes are:
1. SQL injection
2. javascript injection

Some popular solutions:
1. magic quote
2. check if submitted by using same host..(this is not fully secure, they can simply change the script attribute on the fly)

what else? and how to prevent it?

Observing members: 0 Composing members: 0

Answers

Zaku's avatar

1. Don’t use SQL (saves money, too).
2. Run your site on Linux.
3. Don’t enable any software or languages you aren’t using yourself.
4. Put your server behind a NAT firewall and close down ports you aren’t using yourself.

Zaku (4861points)“Great Answer” (0points) Flag as…
Vincentt's avatar

Read up on the subject, and using as webserver Apache+Linux helps a great deal already.

Vincentt (3969points)“Great Answer” (0points) Flag as…
cwilbur's avatar

Don’t trust any input you get from the user. Expect that the user is going to send you garbage data—even if script kiddies don’t, ordinary users will. Sanitize it somehow, and make sure it doesn’t contain anything inappropriate. When you interact with the database, use placeholders and parameters to pass arguments to the database, not string interpolation.

Don’t give anyone access to anything he shouldn’t have access to. Turn off all services you’re not using, and use the software firewall to block remote access to any services you’re only using internally. Make sure that users only have access to their own data, and that they can’t screw up others’ data.

Don’t assume that code you didn’t write will do the right thing. Sanity-check the things you get back from the database. Use two methods—configuration and software firewall—to lock down the services; there may be a hole in one method, but there probably won’t be a hole in the same place in both.

Make sure your code is as clean and clear as you can make it. The sort of hole that lets a hacker in is more likely to be in code that’s so messy you have to read it over 2 or 3 times to see how it works.

cwilbur (13124points)“Great Answer” (8points) Flag as…
robhaya's avatar

Ditto cwilbur.

Turn off any ports that you are not using on the server, disable non essential web services, and make sure you are running the latest stable version of any third party application, web server, database, etc. Often people fail to update these things and leave their site open to these types of vulnerabilities/exploits.

Also make sure that proper file and directory permissions are set correctly. You don’t want to give everyone rwxrwxrwx (777) at the file level or directory level that should not have them.

Good Luck!
R

robhaya (966points)“Great Answer” (0points) Flag as…
aaronblohowiak's avatar

Hire a security professional.

Install an intrusion detection system (hardware.)

Get audited.

aaronblohowiak (450points)“Great Answer” (0points) Flag as…

Answer this question

Login

or

Join

to answer.
Your answer will be saved while you login or join.

Have a question about something? Ask Fluther!