Minimise

The first rule is this. Minimise areas that accept input from the request, and minimise areas that send response. Sanitisation and validation should be the first thing you perform on data received and the last thing before you return it. Following a sensible architecture such as the Model View Controller approach separates data received by the Controller area and data returned to the View. This will make your life far simpler when you start tackling such issues. This applies to all forms of input (form data, querystrings and cookies) and all forms of output (HTML, redirect, file download).

Validate

A commonly overlooked validation is confirming the data has been intensionally sent from the user. There’s nothing to stop a 3rd party website posting to your website, so it doesn’t matter how secure your login form is, the posted data could be coming from any of the dodgy websites your user has open. An easy solution is to use a random key as part of every posted form, unique to the users session. This way you can easily verify the form has been posted from a tightly controlled page you served to your user. It’s not enough to look at referrer headers, because these are easily faked. ASP.Net web forms, to their credit, do this by default.

Use White-lists over Black-lists. Lets say for example you’re validating a phone number, you don’t specifiy every non-digit character you want to remove, you strip everything that isn’t 0-9. A little too obvious? The same applies to the classic script tag. If you start trying to remove every form of <script> tag, you’ll end up playing catch-up against tricks using <img>, <body> and clever encoding. If allowing any kind of HTML through is necessary, you’d better be damned sure who submitted it and who is going to be able to see it.

Storage

So you’ve received your data, it looks pretty good. Whatcha gonna do with it? If it’s heading towards a database, you can’t be too careful. Escape it, or better yet use parameterised queries. If it’s the file system that your data is ending up, put it somewhere sensible. Ideally, this would be somewhere outside of your webroot, or in a protected folder. Whatever happens, you don’t want anything here directly accessible or executable. Just to be sure.

Responses

OK, so we’re sending a response. Just because the data we received passed our tried-and-tested validations doesn’t mean it’s safe to send back to the user. We HTML encode everything, unless absolutely necessary. If it’s plain text, fairly straight forward. If you’re putting suspect data into an HTML attribute, it might be an idea to verfify the format. If you think you’re outputting an SRC or HREF, check it at least looks like a path. If your response happens to be a redirect, double check nothing funny is going on with the URL. If your response is a (serious) error, make it look friendly, but don’t give away exactly what went wrong. If you want to send them a file, attaching it and manually setting the MIME type is more controlled to simply pointing them at the file.

This is not intended as a set of golden rules, rather a few key points to help you think about the code you write. Most new forms of injection and hackery are just clever ways of attacking poor code. Writing sensible code will keep you one step ahead of such attacks.

Whether it’s Style sheets, javascript or .Net, at some point in the development decisions require thinking outside the box, or working in a counter intuitive way to solve a weird problem. This is the snippet of understanding that needs to be captured to ensure the next time the code is looked at, it makes a little more sense.

The favoured approach is far too often the quick and dirty solution that gets the work done and paid for with a healthy margin. This is great until the project is revisited, and invariably it will. As average solution on top of average solution builds up, there comes a point when something breaks and there is no easy fix. Often, there is nothing the developer would rather do than scrap a bunch of code and rebuild it from the ground up. This is invariably time consuming, and frightening for the poor sod who’s job it is to test it all. There is also the consideration of who swallows the cost of this, as the client / project manager won’t see the immediate benefit of this kind of work, making it hard to justify.

The dangerous middle ground is the point at which trivial tasks become time consuming with unexpected repercussions and legacy code wrecks havoc with a beautiful solution. This guarantees stress for all involved and can strike fear into the heart of anyone threatened with involvement in the project.

So, what’s the solution? I had the first half of this post all planned out in my head, but now I’m kinda winging it. One solution is progressive deprecation. The strategy here is when tasked with implementing a new feature for project, to decide not only what needs to be built to fulfil the requirements, but what existing parts can be made redundant in the process. The process of evolution within a project critically must involve replacing old code with new, rather than just adding to what exists.

There is understandably a fear shared between the PM and the developer for work that stretches the scope of a job. At the end of the day, it boils down to the developer’s responsibility to look after his work. The projects I feel really good about are the ones where I’ve left the code in a better state than when I started. Often it’s tricky to convey this achievement to a PM, who is generally only interested in things that they can show off to the client.

This is where peer review among developers really comes into it’s own. I know from personal experience I write better code and make better technical decisions when part of a team. This is natural, it taps into the desire to show off and prove your worth to colleagues and when harnessed correctly can be powerful.

Thanks for reading, would be interested to hear your thoughts..

So here is what was happening. Our Sitewatcher was randomly showing a few sites returning 404 (page not found) errors. This was curious, because it was requesting the home page, and this page was certainly not missing. As it happens, there is a tiny weeny glitch with a couple of sites in that they will return a 404 code on the home page if the number 404 features in the query-string. This doesn’t happen in normal circumstances, but as cache:false was being used with jQuery, it was appending a random number to the request.

So here is the question. What is the probability of the number 404 occurring in a random 10 digit sequence? Not so trivial. Particularly because the number is itself is a palindrome. It can overlap itself, causing the number to appear as often as 4 times, making the calculation a little tricky.

We reckoned, by rough estimations, for it to be 1 in ~125, but no doubt a serious mathematician can enlighten us.

Although I’d delved into the world of AIR before, I hadn’t really had a proper reason to create something. Our idea was simple, a site watcher. All it had to do was fire off requests to various sites and check the response code. Easy. We could build this with HTML and Javascript no problem. Throw in JQuery and you’re laughing.

The great thing about writing for AIr is that you’re coding for one rendering engine, and it’s webkit. This means writing webkit specific CSS rules completely guilt free. Rounded corners and RGBA can make your design pretty without many images. JQuery’s AJAX library is fantastic, it takes the pain out of requests and helps the code stay clean and readable. Within an hour we had a simple app running.

So we kept going. Using a plugin for JQuery the list became sortable, and the list of sites to watch was imported from an XML file. We created a private twitter account to keep a history of changes, and allow notifications via any standard twitter client. We also added a notification window so the app could be run in the background.

The experience was quite enjoyable, and relatively pain free. The only minor annoyances are having to develop CSS / JS without Firebug, but we managed. Aptana studio made for a competent IDE, and it’s code assistance is handy. Would definitely recommend giving it a whirl if you’re at all interested.

The AIR app is now available to download form Boagworld.com: Download site watcher AIR application