Hack attacks!
Just read a blog entry by Robert Hulbert and I was reminded of a similar type of presentation Jeff Prosise did in Melbourne last year.
A lot of the discussed content is quite similar, but I think it is one of those important topics that no matter how many times a developer may hear it, they may not act upon until something drastic occurs.
Having watched the activities which occurred over at Channel9, where several individuals injected some JavaScript, and STYLEs to effectively “mess up” several threads.
Could all that been avoided? Definately, especially if you followed the following three rules put forward by Jeff Prosise at last years’ MSDN Update (that I mentioned previously):
3 tips/rules from Jeff Prosises’ presentation:
I’m not saying it is their fault, but it is something that perhaps wasn’t given enough thought when implemented previously. Never trust user input is an important one for me…
What were the things that I remember seeing? I remember seeing a simple javascript alert() popping up when I visited the thread. As well as severely distorted threads caused by user embedding various items.
I’m sure there were a few other mishaps, but I just generally tried to stay away from it all. Just followed all the “action” via RSS feeds.
It’s just a reminder that in this age we should be doing all we can preplaining for all the potential attacks that could occur on our apps.
Think of all the possible scenarios that could occur, try to “hack” your own apps. If you can do damage to it, think about how it may possibly get exploited and worse thigns could well happen to it when it has been exposed to the World-Wide Web!
A script kiddie can easily come along and run their scripts against your web app, and whammo! They’ve exposed your hole and gained access to your server, and within a few short moments your app and the server hosting it has been exposed to an unaurthorised individual. It was a known loophole, but you didn’t think too much about it, no, it couldn’t possibly happen to your app, or could it?