Disclosed information on programming forums
In the past weeks I’ve had an increased interest in website security. The reason: I find that many developpers are not even aware of the basic techniques to provide a minimum level of security, in particular against SQL injections.
Identifying such a site is extremely easy. Fiddle with the POST or GET parameters of a request, get a failed request and you’ve probably found a candidate.
So in that process, I’ve found many sites that are not secure. Of course, I notified them or am in the process of doing it.
This will perhaps create me some problems, but as a professional in IT development I feel it is my duty to inform these sites of their problems, as well as make sure that my personal data is stored in a secure environment.
Finding unsecure sites can even be automated e.g. using google search API.
But a simple Google query can let you find much more, sometimes enough information to compromise the site right away. In particular in programming forums, some people tend to disclose way too much information. I’ll only give this example, because it points to (what appears to be) a defunct site. So looking at that page, we have (insecure) SQL query, DB structure information and site name. Bravo.
update: and google now makes it even easier to search for (bad) code…
October 3rd, 2006 at 3:02 pm
Sometimes we do not know what we are posting on forums, most of the time we expect help but in order to get it we share important information.
Talking about website security is a long talk my friend, sql injection it is not the only problem, i think developers are getting lazy about that but think about this we are not 99% secure on web but at least we can prevent some “attacks”.
What do u think would be the best practices for develovers in order to have a minimun security?