Monday, November 04, 2013

Post #30 I've got visitors

Just yesterday, I was connected to my site over the database and was stunned to see I had a couple of registrations. I almost freaked out. No one, ever visited my site in the last 1 year. I've been the sole user of the site. In fact I do not even have an "about us" section. 

Not just that they visited, they also registered. But then that's all they did. They never went ahead and set up their accounts. Leave alone uploading their statements etc. 

So I got nervous. I've already figured out a couple of vulnerabilities in my site and I thought I must plug them asap.

So the first thing I decided to secure was the database. Now sql injection is a common malice. What I worry most is someone is going to drop the schema, table or delete records.

Now its not so easy given they don't know the name of my schema etc. But even then, why take a chance. So I decided to create a brand new user just for the application and gave it only select, insert update execute rights. No DDL grants. No delete rights either except on one table as I needed to delete things using the application.

Good learning and finally when I was done, I felt a little more secure. I now need to address a few other such stuff.

Also, I feel I need to improve a few other things on my site to make it a little more intuitive. Currently, I don't think its that easy to navigate.I'd do it in the next week or so. 

No comments: