When building software, security is one thing that needs to be kept in mind from the beginning. This is called security by design, which means that your software includes:
- how it is going to protect data
- how is the software itself going to be secure
Cross-site scripting (XSS)
Cross-site scripting or XSS refers to an attacker’s ability to add their own software/code to a web page. This could result in dangerous code being injected into other users, change how the website appears/functions, steal private information in cookies, impersonate users and even spread itself.
XSS occurs when software takes input from user without sanitizing it first. Attackers can exploit this by providing dangerous scripts as the input, where the software may execute the dangerous code.
XSS attacks act like a worm, it can spread to other users and spread.
Click here to learn more about XSS.
Mitigation
- Implementing a zero-trust approach
- Sanitize all user inputs.
- Validate all user inputs.
- Encode special characters.
- Users should be given the option to disable client-side scripts.
SQL injection
SQL injection refers to an attack where malicious SQL code is injected into software to steal information from data-driven software (SQL).
This occurs, again, through improper handling of inputs. Attackers can input dangerous SQL code which target databases.
Mitigation
- Validating & sanitizing user inputs - similar to XSS attacks, properly handling user inputs reduces the risk.
- Parameterized statements - Instead of embedding user input into a query statement, use placeholders to receive parameters.
- Use prepared statements and stored procedures - with prepared statements, you can safely request information with a prepared request without relying on inconsistent requests. Stored procedures outline the SQL statements required to complete a request, hence narrows the risk of unintended SQL statements to run.
- Permission handling - database access should be restricted.
- Firewalls - firewalls help prevent SQL exploits by blocking unauthorized transactions on the network.