World-facing websites always have to be written carefully in order to prevent malicious attacks. There are tons of additional vulnerabilities and attack vectors which need to be addressed as well, but in this post I’m going to talk about the two most common: Cross Site Scripting (XSS) and SQL Injection.
If you already know what these are, feel free to skip down a bit to the section where I talk about where ATG Dynamo helps and where there are still some gaps.
It is an attack against your users, not your servers.
By stealing account information and by placing fraudulent orders these attacks can turn into attacks against your site, secondarily.
Typically these attacks are made by taking advantage of anywhere the website echoes back user input or query/post parameters within the contents of the rendered page. This could be a comment or review function, or even passing a query param along in a hidden form field. There are a million places where sites end up putting request data or un-cleansed data from the database into the contents of a page.
SQL Injection is where a cracker is able to directly manipulate your database. This can be used to bypass authentication mechanisms, delete critical data, or steal confidential information.
This most often happens when form input is used in a database query (select, update, and insert are all vulnerable). By inserting SQL into the form, a carelessly developed site will often pass that SQL directly to the database, where it is executed as if it was the web application running it.
So, now that we’ve covered the mechanisms and dangers of these two types of attacks, let’s talk about how ATG helps, and where there are still security gaps.
ATG automatically escapes output from valueof tags which prevents 95% of the normal issues which would plague a site written in PHP or straight JSP (you aren’t using any inline Java in your JSPs are you?).
One of the biggest, and most common, gaps is the use of:
So, if you are outputting anything that may contain user input, from a request or the database, use valueof, or if you can’t, escape it using ATG’s ServletUtils:
Now let’s talk about SQL Injection. ATG’s Repository layer (Data Anywhere) automatically prevents SQL injection. So as long as you are using it, you are safe. If you have to do straight JDBC work, ensure you are using parameterized queries.
There are excellent tools out there for analyzing your code base and application in order to find security issues like these, and others. My two favorites are Fortify which performs analysis of the code, tracing potentially dirty data through it’s lifecycle and identifying issues, and WebInspect which is a penetration testing tool which scans the web site looking for XSS vulnerabilities and other issues.