I was reading a thread regarding Android OS security vulnerabilities and it got me thinking. I am writing a web app that acts as the front end of a payment processor. What would a someone need to do to replace the web app I have on my domain with a bit of malicious software capable of hijacking customer accounts?
Anything is impossible possible. But most breaches of security come less from engineering competence than from sloppy password management. Passwords not complex enough, not changed regularly enough, and if you are not alone accessing the site, no personalized access control, are a sure way to get hacked.
Years ago, I remember a hacker BBS where there was a list of Prime mini computers site passwords and IP addresses ready for the taking. A couple years later, I tried again to enter some of these sites, and many still had the very same password. Given the number of sites, the only source for the list must have been a guy doing maintenance for Prime Computers. So the breach of security was not software, it was people. And the fact that administrators had not changed their passwords in two years tells a lot about their commitment.
If you are doing an interface for payment processing, the first thing you want to know is that if you store sensitive information, you run the risk to have it hacked. Just like Target and its million credit cards customers. Why did target find it necessary to store all these transactions and pin numbers in such an unsafe way that it was stolen ? For myself, I went Paypal over 10 years ago precisely because I did not want any business with credit card details. All I want is the customer money. Not his card number. Paypal takes care of that. Before then, I used Authorize.net and it was quite nice, but I had to transmit credit card, CVS and expiration date in a way I found unsafe. I could very well have logged all that information as well. This would have been a gold bucket for thieves to find. Web commerce will continue to thrive only if customers feel confident their information cannot be hacked. Its up to you to minimize any chance of it to happen.
npalardy EDITED : to correct typo “impossible” should have been “possible”
Chris, that is VERY difficult to give an answer to because there are a million ways it can be done and new ones are being found/invented every day. It all starts, however, with an insecure design. Wether that be on login form, passwords, on web server, on web application, on the Internet server, etc…
If you are publishing a web site, I would highly recommend reading up on some security. A few good books are The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws, The Tangled Web: A Guide to Securing Modern Web Applications and possibly Security Engineering are all good books on the subject.
That’s not much of an answer, I know, but to really answer it one would have to write a book, hence the suggestions above.
I will say… many people look at the subject and see how vast it is and choose to do nothing other than what they have seen here or there. They are waiting to be attacked. The only saving grace a lot have is that the web is a big world and more obscure web applications/sites never come under the full attack of hackers.
In todays world, if you have sensitive data that could ruin your company/customers, then it would be wise to seek a security consultant.
I wrote too fast, and now cannot edit. I wanted to write :
Anything is possible
Sorry.
[quote=117586:@Michel Bujardet]I wrote too fast, and now cannot edit. I wanted to write :
Anything is possible
Sorry.[/quote]
Fixed as I was pretty sure that was a typo 
Thank you for spotting it, and fixing it, Norman 
The overall WebFramework is pretty secure from session hijacking. They talked about this two XDC’s ago. That being said if you’re altering how you handle session authentication and someone steals their session cookies etc… It is in theory possible to hijack a session.
You may also be interested in researching Man-In-The-Middle attacks and Man-In-The-Machine attacks. The govt has the best capacity to do the Man-In-The-Middle attacks and I doubt they’ll do anything malicious if they have a need to do this.
Of course using HTTPS and all the other standard best practices come into play. You can always add two-step-authentication or allow 3rd party authentication through services like google and facebook.
[quote=117847:@Brock Nash]The overall WebFramework is pretty secure from session hijacking. They talked about this two XDC’s ago. That being said if you’re altering how you handle session authentication and someone steals their session cookies etc… It is in theory possible to hijack a session.
You may also be interested in researching Man-In-The-Middle attacks and Man-In-The-Machine attacks. The govt has the best capacity to do the Man-In-The-Middle attacks and I doubt they’ll do anything malicious if they have a need to do this.
Of course using HTTPS and all the other standard best practices come into play. You can always add two-step-authentication or allow 3rd party authentication through services like google and facebook.[/quote]
An often overlooked danger may come from the most familiar figure : your own hosting provider. I call it the housekeeper attack. Sometimes, we rely on companies picked over the Internet with a perfectly anonymous front, hosted somewhere unknown, confident that the price being good and the fact that Xojo apps can run on their VPS is enough to grant them a vote of confidence.
So we become, for all intents and purposes, guests of a host we know little about, and even less about the security measures he takes to protect our precious data. What if his system is vulnerable to attacks ? What if he is hosting sites that may become target for denial of service bombs ? What if his authentication can be breached and the whole content of his system be hacked, including VPSes ? What if a disgruntled employee decides to hack the system (like the guy who collected all these passwords I was talking about above) ?
Indeed, Xojo apps are conceived to be safe, and should probably hold well against PHP injection and other hack attacks. But your hosting service may not be that well protected. Loosing sleep over it may not be immediately justified, but being conscious that all data in a VPS must be protected is important. It means absolutely no data should be stored without being encrypted, especially sensitive personal customer information or credit cards informations. And this is of paramount importance for databases we all too often use without thinking more of it.
Stopping for the night in an unknown motel, we know our personal belongings could be in danger. Being hosted in an unknown system, our data might be burglarized the same. That is why, I think, reputable hosts like 1701, or the Xojo Cloud solution, should be taken into account in the security equation.
FWIW, one of our clients is a security consultant. He’s done extensive testing of the web framework and really likes the built-in security of Xojo web applications.
At one point his test suite got to step 7 of 20 before it crashed the app. Sounds bad, I know, but he explained that most web sites fail on step 3 which gives him full access to the website/app. That was two years ago and I know Xojo took his suggestions to heart.
In regards to tests, this is a good one: https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
I am sure there are open source automated systems out there, as Bob mentioned. I wonder if anyone has went down the road of searching one out to test their own apps? Would be a good tool to have handy.
Also… Do not rely on “Xojo” protecting you since you are using the Xojo Web Framework. For example, one of the most popular attacks is SQL injection. Xojo and Xojo Web Framework provides the means necessary not to fall prey to this attack, but if you don’t understand how a SQL injection works, then chances are (especially when looking at tones of example code all over the web) you are vulnerable to this type of attack.
You must know what your doing in regards to security when developing a web application. Don’t rely on anything but education, and as Bob did, have code tested by someone who really knows their stuff, a security consultant.
We are developers. We are not security specialists. The world of security is just as vast as the world of development. We certainly must educate ourself and do as much as we possibly can to defend our applications, but in the end if your app contains critical data, hire a security specialist.