Thursday, June 12, 2008

Script Injection

As technology progresses hackers look for techniques to hack your servers . Most common technique is Script injection attack, which occur when a hacker takes a few lines of malicious programming code and enters it in to a form on your Website and then submits the form. If your Website is data driven then chances and you have forms on your Website. Hackers will often inject scripts in to your forms and try to do the following :


Mislead the system in to thinking they are a authorized or legitimate registered user
Try and modify your data on the data server
Try and generate reports from your database without your consent
Try and generate reports about your file structure or security



There are a million things a hacker can do if he can get access through script injection attacks. Most Web servers now combat this method of hacking automatically. Anything that looks like a script is rejected by the server and by default. Microsoft is dealing with it on the .NET framework.

So the most important thing to prevent script injection attacks:


1.Programming languages contain many characters and certain otherl keywords that are not conventional to the English language. For example, no one has a name that has the characters "*", or "%", or "@", or "!" or "<" or ">" in it. All of which are common place in all programming languages. These types of characters should be rejected by your forms whenever possible. This is the most simple way to tackle this problem.

2.Validate the data before submitting Eg: If you are asking the user for a name then make sure it does not contain numbers.

3.Limit the amount of characters a user can type in to each form.

4.Input encoding

5.Output encoding

Other type of injection is SQL injection , which will be discussed in the coming post

Feel free to add more information or comments using the comment feature present below

No comments: