|
-
March 7th, 2003, 12:31 PM
#11
where is the product information comming from in the first place? are you running a database?
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
March 7th, 2003, 12:40 PM
#12
Originally posted here by anonymityX
Hi SirDice.
Security has been a concern, but i need a working site before i can think of securing it.
This is my first attempt at such a task, i've previous experience with html, but i've picked up perl and cgi within the last couple of weeks just to create this site.
-aX
This is definitely the wrong way to do this. Security should be an issue right from the start or you will never get it right.
Security isn't easy, nor is it something that you can bolt onto a product after the fact.
-- Bruce Schneier.
-
March 7th, 2003, 12:40 PM
#13
Member
theres no database, its all in cgi pages.
When they "add to basket" a part number(acting as a key) is assigned a value(the quantity), and from then on that information is stored in hidden forms, untill completion(i.e. either the order is completed or the page is closed).
I've chosen this way coz there really is'nt many products on this site.
-aX
SirDice,
I agree with you there, but i don't see the security risks in sending un-confidential information via post.
any personal information is contianed within SSL and then encrypted using pgp.
\"I can resist everything, except temptation.\" - Oscar Wilde
-
March 7th, 2003, 12:52 PM
#14
Originally posted here by anonymityX
SirDice,
I agree with you there, but i don't see the security risks in sending un-confidential information via post.
any personal information is contianed within SSL and then encrypted using pgp.
Security risks? How about Cross Site Scripting and inserting unexpected user input so your app croaks (or even worse 'they' take over your app)?
-
March 7th, 2003, 01:02 PM
#15
Member
I don't know about cross site scripting, would you be able to explain these risks to me. as i said before this is my first attempt.
I will be putting in checks to make sure the data im getting is what i want, can you recommend a good program that can check my scripts for possible holes?
-aX
\"I can resist everything, except temptation.\" - Oscar Wilde
-
March 7th, 2003, 01:06 PM
#16
Junior Member
ACK! Avoid JavaScript if you can. I'm serious ... use php. Look at the site you're on right now. Check out the address bar. See the little ".php" in there? PHP has an entire function class just for session handling. If coupled with SSL encryption, sessions CAN be (relatively) secure if done correctly. In my opinion the only correct way to do what you're trying to do is with encrypted sessions.
Here's a link to the sessions section on php.net:
http://www.php.net/manual/en/ref.session.php
Take special note of the section on security and sessions.
Just my $.02
Also, as soon as you can, switch them to a database structure. It sounds like they're concerened about cost since they're giving you so few resources. Try MySQL or PostgreSQL on for size. PHP interfaces great with both of these free database systems.
-
March 7th, 2003, 01:16 PM
#17
Originally posted here by anonymityX
I don't know about cross site scripting, would you be able to explain these risks to me. as i said before this is my first attempt.
http://www.cgisecurity.com/articles/xss-faq.shtml
I will be putting in checks to make sure the data im getting is what i want, can you recommend a good program that can check my scripts for possible holes?
-aX
http://www.wiretrip.net/rfp/p/doc.asp/i1/d6.htm
http://www.wiretrip.net/rfp/p/doc.asp/i1/d21.htm
-
March 7th, 2003, 01:37 PM
#18
Member
Thanks guys,
I hadn't given security enough thought until reading the links by SirDice, u've saved me from my own ignorance! lol.
But seriously thanx alot, these links will keep me busy for the rest of the day and hopefully i'll end up with a secure site!
thanx again.....
-aX
\"I can resist everything, except temptation.\" - Oscar Wilde
-
March 7th, 2003, 02:23 PM
#19
Im sorry but SSL is only part of the anwser. All an SSL connection does is to prevent someone from sniffing the traffic. It does not stop someone from tricking the web server into giving it your details!
The topic of web security is massive, I could spend all day writing about it. But to start you off have a very very good read of www.owasp.org To me it's the best web app security information site going
anonymityX because of the task you are trying to do I would use a language with a database at the backend like php, asp, jsp, coldfusion or even perl/cgi. But using a database to store your information will make life alot easier for self when it comes to thinks like, storing customer information, traking what they bought, stoing your products and allowing for future growth of the site. But again this will bring new security problems.
But like I said I would stongly suggest you read www.owasp.org as they cover all aspects in web security and wont try to sell you any thing.
SittingDuck
MY 100th POST!!!!!!!!!!!!!!!!!!!!
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote