As I was doing some reading online about SQL injections and cross-site scripting (XSS) attacks, it caused me to wonder about the state of my pet project and whether it could stand up to such attacks. As I let people know more than a year ago that I would be doing a major overhaul of my site, I pretty much abandoned the current version of the site that is running in a beta state (since almost two years ago now) and pressed forward with the new revision.
Going back to the old code was something I was never looking forward to doing, but I knew it would be necessary, because the new version of the site is nowhere even close to being ready, and it would be faster to fix some of the most serious errors in the old version. Knowing I’d be in for the worst, I launched Eclipse and imported the old code tree into a new CVS module and got started.
Seizing the opportunity to get further acquainted with CVS, I decided to learn how to tag releases and create branches. Tagging the initial revision as 0.46.2_release, I then proceeded to add a 0.46.3 branch for my bug-fixing. It was pretty painless, and it is nice to be able to always refer back to the original version to see what kind of radical changes have been made.
As I have been working my way through the code, I have noticed several areas that could be potential areas for attack. Simple things like unverified input from the URL could be devastating if not handled correctly, and I isolated and corrected several of these instances. Likewise, allowing users to input arbitrary HTML and Javascript is a major vulnerability, and I have taken steps to correct this problem, either strictly forbidding HTML or filtering out tags that could be used to launch such an attack.
Obviously it is impossible to predict every attack that could be attempted, but I am happy to say that even the old, crufty version of my site is at least much more secure than it ever was, and it pays to learn a thing or two about web security when you’re in the position of maintaining a site with any scripting language that falls prey to such attacks.
The new version of the site is nearing completion, and once the security upgrades are in place I would like to make a couple cosmetic adjustments. I hope to get most of this running on the live site as soon as possible so I can iron out any bugs that I may have introduced in the process. I’m trying to look innocent here.