05 January 2011

iFrames security risk

I was reading a message about iFrames security risk on a news webpage. It looks like embedding a website or content from a website, like youtube can only be done with a certain risk, when not taking care of programming practice quit carefully during development of the website, like in this case youtube. A search criterium can be injected through sql injection or cross website scripting if one doesn't take care of programming practice carefully.

There are several ways to prevent these kind of attacks:

- use the principal of least privilege
- use bind variables

There are several more options available to the programmer, some of which can be found on the code project website:

  • Encrypt sensitive data.
  • Access the database using an account with the least privileges necessary.
  • Install the database using an account with the least privileges necessary.
  • Ensure that data is valid.
  • Do a code review to check for the possibility of second-order attacks.
  • Use parameterised queries.
  • Use stored procedures.
  • Re-validate data in stored procedures.
  • Ensure that error messages give nothing away about the internal architecture of the application or the database.
The main message is, there were some unwanted videos in the youtube bar of my website, mainly because of some of these iFrame security vulnerabilities. Small alterations in the SQL query filtering can prevent a lot of these inconveniences.

Here is also a link to the Oracle site for a small explanation from Arap Nanda on this subject and the PHP Cookbook:

Adaptive Cursors and SQL Plan Management (Arap Nanda):


Binding Variables in Oracle and PHP by Larry Ullman:


0 reacties:

Post a Comment