Web 2.0 Entrepreneur

Securing your Web Application

• Posted by Tengku Zahasman on July 9th, 2007 filed in Web App Development, Security


• 3 Comments »
• (452 Views)

Apart from ensuring code performance, there’s something quite bothering when you’re developing a web application and that is to constantly ensure (while writing the application) that your codes are hack-proof to the black hats out there. As a person who works full-time in the Internet security industry, I analyze the security of our client’s web application almost on a daily basis. I study the structure of their application, identify any obvious or hidden vulnerabilities, and then try to poke into them and see if I can hack their web application. This is called a Web Application Testing.. and depending on how deep I am allowed to dig in, it’s sometimes also considered as Penetration Testing.

In most cases, the security holes are obvious. Most of the problem lies on the carelessness (or laziness) of the web developer in developing the application or maybe they just don’t care so much about their application security due to tight deadlines for completing the web app. However, having your web app to be compromised is not something you’d like to see in the long run so it is always a good idea to make sure your application is practising good security measures from the day it is being developed.

There are a few obvious web attacks that you need to be aware of such as SQL Injection, Session hijacking, Bruteforce attack, Buffer Overflows, Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF). We’ll discuss about those in detail some other time. For the time being it is important to realise that 80% of the time the problem lies on the failure to sanitize or filter out user input from URLs, hidden fields and forms. Sanitizing/filtering user input means processing the user input first instead of using them straight away in the system. This way you can make sure that the input you’re passing around your application is not malicious to the system. If you don’t process the user input first, hackers can easily inject codes into your system and do bad things.

So where do we need to be extra careful about security when writing your code?

1. Forms - Any forms. Search forms. Login forms. Registration forms. Subscription forms. All of them accepts user inputs, and that means they are open doors for hackers to inject malicious codes or SQL statements. Escape any unwanted inputs like quotes (”) or convert them into HTML-equivalent strings (eg: ” to &quot;). Strip any HTML tags like <script> and ensure that the stripping algorithm is good enough to disallow hackers to get around it. Don’t just validate the user input on the client side, process it as well on the server side. Never trust that your users are following the rules.

2. Dynamic URLs - The same rules apply when you accept inputs on the URL. Always strip and escape unwanted inputs (”escape” means adding slashes to the malicious character; like ” to \”). If a user puts in weird characters, make sure your application knows how to handle it and display the appropriate errors instead of spitting out database errors or code errors.

3. File Uploads - Be extra careful on this function if you provide one. If your application can’t properly filter out unwanted files, hackers can easily upload malicious scripts and run it on your web server. It is pretty easy for people to gain control over your web application if they’re allowed to upload dangerous scripts or “backdoored” files into your web server.

There are of course many other ways for hackers to compromise your web application, but I’d like to be general for this time.

Studying CakePHP 1.2 so far…

• Posted by Tengku Zahasman on July 5th, 2007 filed in CakePHP


• 1 Comment »
• (753 Views)

I have made some intensive self-study on the CakePHP 1.2 framework for the past few weeks. The learning curve that I had to go through has been quite tiring and troublesome, in an interesting way that is, since CakePHP 1.2 is still undergoing development and there are too little documentation on this version if compared to the stable version 1.1.

Cake 1.2 doesn’t have any practical manual (yet) like version 1.1. So learning this version means having to dig deep through their source files and reading the description headers for functions, going back and forth with their API documentation, browsing through the Bakery, hanging around in their official IRC channel to ask for guidance and posting quick questions, and then lots and lots of Googling around too. Yes. I find out that learning a new framework is not all easy. It takes time. Because I found out that learning a framework is almost like learning a new programming language altogether even though you already use PHP as your mother tongue. Frameworks have their own built-in functions to memorize, their own naming conventions to follow, their own unique approaches to methods and classes to get used to which are mostly way different than the usual way we write applications. But even though learning a framework is not a snap, the benefits you get after mastering it is just priceless.

There are many differences I could see in Cake 1.2 if compared to 1.1. More components added in (Auth component for doing authentications is now included! And helpers for Pagination, RSS & XML too! Oh life is getting so much easier~ )… file structures have slightly changed… tremendous change in their Model validation technique (will discuss this in later posts)… and some other changes which you can view them all here.

Working on Internet business while having a full-time day job

• Posted by Tengku Zahasman on June 27th, 2007 filed in Thoughts, Entrepreneurship, Financing/funding


• 9 Comments »
• (2,003 Views)

It is quite common nowadays for working citizens to do some kind of *side business* in order to add more value into their fixed monthly income. Thanks to all the financial gurus out there who introduced the mantra of “creating multiple-streams of income in achieving financial freedom”, we are seeing more and more of our people indulging themselves in businesses and entrepreneurship, albeit in many different ways. Some people do this by selling “curry puffs” in front of their houses every morning before they go off to work, some become part-time freelancers doing photography or video editing on weekends and on special events, some decided to do professional consultancy jobs, other more desperate people resort to MLM businesses, network marketings, direct sellings and pyramid schemes (no good!).

Web savvy users however are more likely to conduct part-time businesses online. Smart option. These people manage their own e-commerce sites and sell stuffs online, some managed to create high traffic online subscription portals, some do Internet Marketing, good writers write and sell e-books, more technical people provide Internet services like web hosting or web design, other less technical people simply write blogs and get the extra bucks out of Google AdSense, while the rest of us venture into the Web 2.0 industry providing Web services and develop social applications. The Internet business is so flexible that you can run it and manage it from anywhere as long as there’s Internet connection that it is quickly becoming a trend for people to adopt it as their side business.

Running Internet business part time…

I’ve had experience of running an Internet business without having a full-time job before (the few months after I graduated from university) and I also have the experience of running an Internet business while going off to a 9-5 work every weekdays (which is what I’m currently doing). Unless you’re very well funded, having a full-time job really helps a lot when it comes to stabilizing your finance. As a self-funded Web entrepreneur, I fund myself using the monthly salary I get out of working in an Internet security firm. My bills, loans, leisures, food and travels are all taken cared of using my salary. In fact I sometimes even use some of them for my business, I call it an “investment”. That means I don’t have to touch a single cent of my Internet income for my personal use. This is very effective for maximizing your business’ profit.

Before I had a full-time job, my business money were also my money. Separation of entities doesn’t work in this case because we also need to feed ourselves. It’s hard to grow your business this way because money will run out very fast, sometimes it’s just enough for you and your business to survive in that particular month. That’s very choking. By having a full-time job, business risk is also reduced because I know if something doesn’t turn out right with my Internet venture, at least I still have my monthly pay to back me up. Boy that’s a relief. That fact alone gives me the confidence to do risky things in my venture.. and that’s truly interesting.

The downside of having a full-time job is that you’ll be struggling to find “time” to focus on building your Internet business. Managing it is easy, but developing it is something that takes a lot of time and focus. Everyday and every weekends you’ll be pressured to allocate a few hours to focus on your Internet business, and in some situations that can be pretty frustrating.

So what happens next?

It’s every entrepreneur’s dream to start up their own company. I’m sure most entrepreneurs out there who are still working full-time have that intention of quitting their job one day to become their own boss. However, starting up a company needs capital, plan, experience, networks, and portfolio. These are the things you can gather while working on a full-time job and conducting an Internet business at the same time. People who jumpstart their company too soon always fail miserably. As I said before, unless you’re pretty well funded, don’t quit your job just because you have started an Internet business. Do that only after you can at least make a steady Internet cash flow three times larger than your monthly full-time job salary. Can you do that?