On September 14th, our CEO Ben Bassi will be headed to New York to present "Managing Practical and Legal Risks on the Company Website" with cyber law expert and Dorsey & Whitney Partner Nick Akerman.

This free seminar will cover a range of Web security topics from technological and legal points of view. The intended audience is tech-minded executives and high-level IT professionals looking to learn more about how they can protect their website and their business.

As a preview, I thought I'd cover a couple of the security vulnerabilities that will be covered in their presentation. One of the first concepts that we want to convey with this presentation is that there are more ways into your website than you might think. Maintaining a secure site is about much more than simply using secure passwords and keeping those passwords a secret.

SQL Injection

SQL Injection is a common method employed by hackers to gain access to your site, steal user data, and corrupt your databases. Although there a number of different attacks that can be launched with SQL injection, they all work in the same basic way. SQL is a programming language used to manage databases and connect them with web applications. If your Web application takes user data (such as the text they enter into a sign up or log in form), and places it directly into SQL statements, the SQL injection attack is possible. Instead of typing their name into the Name field, for example, the hacker will enter one or more SQL statements into the field, hoping they will be run along with your existing SQL code. For example, they might type:

x'; UPDATE members SET email = ’bob@email.net’ WHERE email = ’steve@example.com

In this example, the hacker is changing the email address associated with an account to their own, they can now request a new password through the common "Forgot your password" functionality.

Using SQL, the hacker can manipulate your databases in any way they wish, changing data, adding new users, deleting users, or deleting entire tables of data.

SQL injection can be prevented by properly cleaning any data that the user enters. While normal text such as "Sarah" of "frank@email.com" should be allowed, SQL statements should not be accepted.

Cross Site Scripting (XSS)

Cross-site scripting (XSS) is another common vulnerability that is exploited by hackers. It involves writing one or more scripts that will unknowingly be run by the target when he or she visits a web page. A common method of accomplishing this is giving the target a malicious link, perhaps by email. Though they might obscure it in some way, the URL they send will look something like:

http://www.example.com/registration.cgi?clientprofile=<SCRIPT>[Malicious code]</SCRIPT>

When the user visits the URL above, their browser will execute the attached script. This script can steal the user's cookies or login credentials, or it can redirect them to a malicious often. Some attackers will redirect unsuspecting users to duplicates of popular websites, and use these duplicates to trick users into surrendering their login information.

Cross Site Scripting and SQL Injection are two common methods employed to gain illicit access to a website or steal user data. But they are only two of many tactics that have been used successfully by hackers. Ben Bassi will disuss these vulnerabilities and others - and how to stop them - during the "Managing Practical and Legal Risks" seminar next month.