Friday, September 13, 2019

Developing an interactive secure website Research Paper

Developing an interactive secure website - Research Paper Example The extensive growth and use of the internet over the years have created and led to websites and web applications facing more threats and vulnerabilities each day. This has thus demonstrates the importance and emphasis developers and website administrators have put on web security. Web security does not only entail securing the web application only but also securing the web server and the web users as well. This article aims at explicating the various forms of threats, attacks and vulnerabilities that web applications, servers and users face.It will also show various methods of howto prevent, minimize and deal with security loopholes that attackers exploit. The importance of ensuring security of websites, web servers and the users cannot be underestimated (Braithwaite, 2002). Discussion There are various vulnerabilities that web applications and websites face. These threats range from security loopholes that are created during development, at the servers and at the user interfaces. T his discussion will mostly focus on the security of website application developed using PHP language and are SQL database driven. PHP functions Security Developing website applications using PHP is relatively easy since its syntax and semantics can easily and quickly be grasped. The buck though doesn’t stop here. It has the capability of performing diverse functions when its seamlessly and flawlessly working with HTML. The fact that it is open source and also works well with other open source tools and languages such as the MySQL database ad the Apache Server makes the most preferred web development languages for developers and very much targeted by hackers and malicious web users. Many developers, especially beginners ignore or forget the aspect of security (Shaw, 2001). It is worth noting here that even advanced developers sometimes write code that is vulnerable to attacks.PHP can work even if there are security loopholes in the coding. These loopholes are not hard to locat e in PHP and are what malicious web users look for. Although PHP offers some great features that can be used to minimize security vulnerabilities, it’s up to the developer to be able to utilize them (Braithwaite, 2002). Securing PHP applications entails limiting coding errors as much as possible. Common types of PHP security loopholes are: Error Reporting This is a PHP tool that allows diagnosis of errors and quick and easier fixing. It is also potential security vulnerability when no properly used such as when errors are publicly visible to users on-screen. It reveals a lot of information such as security loopholes in the code. Display_errors should be turned off or be appended a ‘0’ value so that errors cannot be viewed on-screen by users. If the Display_error is turned on or appended the ‘1’ value, errors will be displayed onscreen to users thus posing as a security threat that hackers can exploit. You can however opt to report errors by enabling log_errors. This is done by turning on log_errors and showing the location of the log using error_log. Register_Globals Writing PHP applications is made convenient and simpler by the use of Register_Globals. This although poses a great threat in terms of security. Register_Globals should therefore be always turned off. If turned on, users who are neither authenticated nor verified can inject variables in the application thus gaining administrative access to the application. A good example is where a user may append the value ‘?admin =1’ at the end of a page url and gain access to the sites administrative areas that might require a secure password. e.g. if(isset($_POST[‘pwd’]) && $_POST[‘pwd’] == â€Å"wxyz†) { $admin = TRUE; } If Register_Global is turned off, this kind of forced access cannot occur. Therefore, it is advisable to consider using predefined PHP variables such as $_POST, $_ENV, $_COOKIE, $_SERVER or $_GET to ensure tight se curity. Cross-Site Scripting (XSS) Hackers use this method to collect website’

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.