JPS Design Group - Website Applications

JPS Design Group - Website Applications https://www.jpsdesign.com/blog graphic design, packaging design, web design en-us Tue, 16 Apr 2024 00:36:00 -0800 Thu, 10 May 2018 00:00:00 -0800 http://blogs.law.harvard.edu/tech/rss jpsdg@jpsdesign.com jpsdg@jpsdesign.com jpsdg@jpsdesign.com no Bank web apps are the 'most vulnerable' to getting hacked, new research says https://www.jpsdesign.com/blog/listing.asp?2018/5/bank-web-apps-are-most-vulnerable-hacking bad news if you're one of the hundreds of millions of online banking users around the world. the chances are your bank's website and web apps are horribly insecure. researchers at security firm <a href='https://www.ptsecurity.com/ww-en/' target='_blank'>positive technologies</a>, which has a commercial stake in securing web apps, tested 33 websites and services using its proprietary application inspector, and found that banking and financial institutions were "the most vulnerable" to getting hacked. every financial site and web app the researchers tested contained a high-severity vulnerability, they said. the researchers said in <a href='https://www.ptsecurity.com/upload/corporate/ww-en/analytics/pt-ai-statistics-2018-eng.pdf' target='_blank'>their report</a>, published monday, that they found xml external entity flaws and arbitrary file reading and modification flaws in about half of all the banking and financial sites they tested. in a worst case scenario, an attacker can remotely run code to compromise a vulnerable server -- possibly leading to serious consequences for customers who expect their banks to keep their money safe. the report also noted that 80 percent of tested sites are vulnerable to cross-site scripting (xss) attacks, which lets an attacker run malicious code on a website or web application. these flaws often aren't considered high-severity and, though often easy to fix, are often treated with a lower priority. but they can be used to manipulate how sites look, tricking users into handing over sensitive information that gets silently forwarded to an attacker. the banks and financiers at risk weren't named, but the fact that there was a 100 percent rate of vulnerability for a sector that handles people's money and finances doesn't bode well for the entire financial industry. and things don't look that much better for other sites and web apps tested, including in the government sector. the researchers said 85 percent of the web apps they tested had flaws that allowed attacks against users. "a hacker can exploit these vulnerabilities to steal users' cookies, implement phishing attacks, or infect user computers with malware," the researchers wrote. in the government space, cross-site scripting remained the leading point of attack, followed by http response splitting. but in more than two-thirds of cases, hackers could exploit sql injections that could reveal sensitive information from a database, and remotely run commands on a back-end server. <img alt='' src='https://zdnet4.cbsistatic.com/hub/i/r/2018/04/16/3199ac3c-1686-4df5-a2cc-87c98b65e5a6/resize/770xauto/5c1b375ded6c5dbfde30ebf61c8040ae/screen-shot-2018-04-16-at-8-16-25-am.png' style='height:auto; width:770px' /> a vulnerable web app for an unnamed russian local government permits a critical sql injection that, if exploited, could allow an attacker to obtain sensitive information from a database. (image: supplied) for some attackers, exfiltrating and stealing data or denying service to users is one thing. but more sophisticated hackers use weak entry-points to move laterally within a domain. if an attacker finds a local area network connection on a target server, they can move deeper into a network and compromise an entire company or government department's infrastructure, the researchers said. it's <a href='https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning' target='_blank'>how the massive data breach</a> at equifax is thought to have been carried out. a takeaway is that preventative technologies, like web application firewalls, can be all good and well, but source code analysis should also be used in a web app's development. "merely detecting vulnerabilities, of course, is not enough: developers have to make fixes to code and roll them out to production systems," the report concluded. "any delay in remediation means more opportunities for attackers." original article by <a href='https://www.zdnet.com/article/bank-sites-and-web-apps-are-most-vulnerable-to-hackers/' target='_blank'>zdnet</a>. Website Applications Thu, 10 May 2018 00:00:00 -0800 https://www.jpsdesign.com/blog/listing.asp?2018/5/bank-web-apps-are-most-vulnerable-hacking What is SQL injection? https://www.jpsdesign.com/blog/listing.asp?2018/2/what-is-sql-injection <h3>sql injection attacks are well-understood and easily preventable, and the priority for risk mitigation should be preventing sql injection attacks in the first place. listen to little bobby tables and sanitize your database inputs.</h3> sql injection, or sqli, is one of the least sophisticated web application security attacks that can give an adversary complete control over your web application database. immortalized by "little bobby drop tables" in <a href='https://xkcd.com/327/' rel='noopener nofollow' target='_blank'>xkcd 327</a>, sqli was first discovered in 1998, yet continues to plague web applications across the internet. even the <a href='https://www.owasp.org/index.php/top_10-2017_a1-injection' rel='noopener nofollow' target='_blank'>owasp top ten</a> lists injection as the number one threat to web application security. the good news? sql injection is the lowest of the low-hanging fruit for both attackers and defenders. sqli isn't some cutting edge nsa shadow brokers kit, it's so simple <a href='https://www.troyhunt.com/hacking-is-childs-play-sql-injection/' rel='noopener nofollow' target='_blank'>a three-year old can do it</a>. this is script kiddie stuff--and fixing your web application to mitigate the risk of sqli is so easy that failure to do so looks more and more like gross negligence. <h2>sql injection definition and types</h2> there are several types of sql injection, but they all involve an attacker inserting arbitrary sql into a web application database query. the simplest form of sql injection is through user input. web applications typically accept user input through a form, and the front end passes the user input to the back-end database for processing. if the web application fails to sanitize user input, an attacker can inject sql of their choosing into the back-end database and delete, copy, or modify the contents of the database. an attacker can also modify cookies to poison a web application's database query. cookies store client state information locally, and web applications commonly load cookies and process that information. a malicious user, or malware, can modify cookies to inject sql into the back-end database. server variables such as http headers can also be used as a sql injection attack vector. forged headers containing arbitrary sql can inject that code into the database if the web application fails to sanitize those inputs as well. second-order sql injection attacks are the sneakiest of the bunch, because they aren't designed to run immediately, but much later. a developer who correctly sanitizes all their input against an immediate attack may still be vulnerable to a second-order sqli when the poisoned data is used in a different context. <h2>how is sql injection done?</h2> sql injection, as a technique, is older than many of the human attackers using sqli today. sqli attacks are rudimentary and have long since been automated. tools like sqlninja, sqlmap, and havij make it easy to test your own web applications, but also make it easy for attackers. ten years ago, a <a href='https://isc.sans.edu/diary/sql+injection+worm+on+the+loose+%28updated+x2%29/4393' rel='noopener nofollow' target='_blank'>sqli worm</a> rampaged across the internet. cut to the present: not much has changed. despite a widespread awareness of sql injection as a problem, a large percentage of web applications remains vulnerable. retro trends are back in style for a new generation. think favorites like vans, converse & adidas. start shopping at famous footwear! automated testing tools can keep you a step ahead of attackers looking for an easy payday. pentesting your web applications with a tool like sqlmap is a quick way to see if your mitigations are adequate. sqlmap supports pretty much every major database in use today and can detect and exploit most known sql injection vulnerabilities. sanitize your input, but test to verify your mitigations are successful. a useful reminder: <a href='https://www.csoonline.com/article/2122440/disaster-recovery/emergency-preparedness-red-team-versus-blue-team-how-to-run-an-effective-simulation.html'>blue team and red team</a> are two sides to the same coin. <h2>sql injection attack example</h2> let's look at a basic sql injection attack. suppose you've built a web application that lets customers enter their customer ids and retrieve their customer profiles. the web application front end passes the user-entered customer id to the back-end database. the database runs an sql query and returns the results to the web application, which displays the results to the end user. the back-end database query might look something like this: select * from customers where customer_id = '1234567' suppose a user entered the following customer_id in a web form field: 1234567; delete * customers where '1' = '1 the back-end database would then obediently execute the following sql: select * from customers where customer_id = '1234567'; delete * from customers where 'x' = 'x' remember, databases will happily execute multiple sql statements in a row if separated by a semicolon. failure to sanitize the user input for the single quote "'" character makes it possible for an attacker to delete the entire table. hope you had good backups. right? right...? this was a deliberately simple example, and there are many different sql injection attack vectors, but all work on the same principle: a web application's failure to sanitize input leads to remote sql code execution. <h2>can sql injection be detected?</h2> mitigating sql injection attacks is not difficult, but even the smartest and best-intentioned developers still make mistakes. detection is therefore an important component of mitigating the risk of a sql injection attack. a web application firewall (waf) can detect and block basic sql injection attacks, but you shouldn't rely on it as the sole preventive measure. <a href='https://www.csoonline.com/article/3255632/network-security/what-is-an-intrusion-detection-system-ids-a-valued-capability-with-serious-management-challenges.html'>intrusion detection systems (ids)</a>, both network- and host-based, can be tuned to detect sql injection attacks. network-based idses can monitor all connections to your database server, and flag suspicious activity. a host-based ids can monitor web server logs and alert when something strange happens. ultimately, though, sql injection attacks are well-understood and easily preventable, and the priority for risk mitigation should be preventing sql injection attacks in the first place. <h2>how to prevent sql injection</h2> listen to little bobby tables and sanitize your database inputs. any input to your web application database should be considered untrustworthy and treated accordingly. and listen to the good folks from owasp when they tell you "it's somewhat shameful that there are so many successful sql injection attacks occurring, because it is extremely simple to avoid sql injection vulnerabilities in your code." [their emphasis] the <a href='https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet' rel='noopener nofollow' target='_blank'>owasp sql injection cheat sheet</a> dives deeper than we ever could here, but preventing sql injection attacks, the owasp tell us, requires developers to whitelist input validation (not blacklisting), to use prepared statements with parameterized queries, and to escape all user-supplied input. also limit account privileges. assume a breach. what if a developer fails to sanitize a single user input field? hey, it happens. developers are only human. sanitize input but assume something is going to slip past you. limit the account privileges of the database user. is your web application read only, for example? does it need to have drop tables privileges? probably not. the principle of least privilege applies here. give the web application the minimum privileges it needs to run. stored procedures can also make sqli a lot harder--although not impossible. if your web application only needs to run a handful of sql queries, create stored procedures to execute those queries. typically, only the database administrator has privileges to create or modify stored procedures. be aware, though, that many databases ship with default stored procedures out of the box, and attackers know this. consider removing those default stored procedures unless you really need them. <h2>preventing sql injection is minimum due diligence</h2> sql injection is the lowest of the low-hanging web application security fruit. this well-known attack vector is easily exploited by unsophisticated attackers, but it is easily mitigated with a small amount of due diligence. in 2018 there is no longer any excuse for a web application to be vulnerable to sql injection. this is what minimum due diligence in web application security looks like, folks. original article on <a href='https://www.csoonline.com/article/3257429/application-security/what-is-sql-injection-this-oldie-but-goodie-can-make-your-web-applications-hurt.html' target='_blank'>cso</a>. Website Applications Mon, 26 Feb 2018 00:00:00 -0800 https://www.jpsdesign.com/blog/listing.asp?2018/2/what-is-sql-injection 5 e-commerce marketing tips to promote your online business https://www.jpsdesign.com/blog/listing.asp?2017/9/5-e-commerce-marketing-tips-to-promote-your-online-business having a website simply isn’t enough. while having a website that is beautifully designed and takes into account <a href='https://www.woven.com.au/news/why-user-experience-design-is-important-for-any-ecommerce-website' target='_blank'>user experience</a> is essential, it’s important to realize that promoting your site is a necessity. regardless of what industry you’re in, there’s a lot of competition and you need to ensure your website is found online and keeps people on your site long enough for them to consider making a purchase. these 5 e-commerce marketing tips help to get people to your site. <h4>tip #1: offer a contest or giveaway</h4> this is a great e-commerce marketing tool because it plays into something everyone loves (winning) while generating buzz for your site and brand. make sure you’re offering a prize your ideal client/customer actually wants and once you’ve announced that the competition is life, keep the momentum going right up until it closes. promote the competition via every channel accessible to you. <h4>tip #2: use video effectively</h4> making how-to videos can help give the customers an idea of your products. how-to videos are simple but highly effective marketing tools. they show your customer what their experience will be like before they need to invest anything or even before they’ve made a connection with your brand. in a brief 2 to 3 minute timeframe, a video establishes if your product or service is ideal for the customer in question. <h4>tip #3: showcase your own original content</h4> when your site is rich with unique content, you’re displaying your expertise while building credibility for your site. of course, original content is also ideal and highly beneficial for search engine optimisation (seo) – be aware that it’s dangerous to copy/paste content from elsewhere on your website. this could land you in legal trouble and at the end of the day, you’re not achieving anything because you haven’t tailored the content to your audience. <h4>tip #4: ask customers for testimonials</h4> is there a more powerful tool in the online world? it can take quite a bit of time to establish trust with a potential customer. when people can easily see a number of testimonials from other satisfied customers, it helps to nurture the relationship. of course, it’s always more powerful to have customers spreading your message than to self-promote. you can ask satisfied customers for testimonials for your products to help you in promoting your business. <h4>tip #5: use personalization to your benefit</h4> there is so much noise in the online space. within your industry, you may be competing with hundreds or even thousands of competitors at any given time. personalisation is becoming more and more important, especially as consumers grow savvier. getting this right isn’t hard but it does take thought—audit all of your communication points and assess where you could be doing better. wherever possible, use your customer’s names, provide them with relevant links and ask for their feedback so that you can continue personalizing their experience. once you know enough about them and their habits, you can tailor your emails accordingly. using the above tips as part of a clear marketing strategy helps to ensure that people are visiting your website. you can’t expect your ideal customers to just stumble across your website. it’s important to be proactive with your marketing so that you’re driving people to your e-commerce site. original article on <a href='https://born2invest.com/articles/e-commerce-marketing-tips-promote-business/' target='_blank'>born2invest</a>. Website Applications Thu, 7 Sep 2017 00:00:00 -0800 https://www.jpsdesign.com/blog/listing.asp?2017/9/5-e-commerce-marketing-tips-to-promote-your-online-business Data Shows Interactive Credit Union Website Designs Get Better Results https://www.jpsdesign.com/blog/listing.asp?2017/8/data-shows-interactive-credit-union-website-designs-get-better-results the data is compelling: interactive websites get more engagement and conversions. that’s why interactive features are becoming more and more prominent in credit union website design. goodui.org published a series of studies from organizations that put interactive features to the test. inspired by goodui’s evidence, we helped spirit of alaska fcu launch an interactive website experience in may 2017. a few months later, we now have some interesting data to share. this article is specifically aimed at credit unions but can easily show interaction with your visitors increases site usage and engagement. <a href='https://www.cuinsight.com/data-shows-interactive-credit-union-website-designs-get-better-results.html' target='_blank'>read the entire article here...it is interest reading about the importance of interaction.</a> original article: <a href='https://www.cuinsight.com/data-shows-interactive-credit-union-website-designs-get-better-results.html' target='_blank'>cu insight</a> Website Applications Mon, 7 Aug 2017 00:00:00 -0800 https://www.jpsdesign.com/blog/listing.asp?2017/8/data-shows-interactive-credit-union-website-designs-get-better-results What is an online application and why you should consider it … https://www.jpsdesign.com/blog/listing.asp?2017/7/What-is-an-online-application-and-why-you-should-consider-it one of the most powerful and useful tools that can be brought to a business via a web designer/developer is online applications (apps). these are not standalone native applications like you have for desktop computer, tablet or smart phone. instead these are web based applications that live on and work on a web server in some far distant corner of the world and are operated on any platform through any standard web browser. <h3>native apps vs. web apps</h3> a native app is an app developed essentially for one mobile or desktop device and is installed directly onto the device itself. users of native apps usually download them via app stores online or the app marketplace. an example of a native app is the camera+ app for apple’s ios devices. a web app, on the other hand, are basically internet built apps that are accessible via the mobile device’s web browser. this makes them available to anybody that has a web browser regardless of their platform or device. they need not be downloaded onto the user’s device to be accessed. for this article, we are going to use ohio archer’s association (oaa, www.ohioarchers.com,) a state chapter of the national field archery association, as an example of what can be done with an online app and the benefits you can get from using one. <h3>a little history.</h3> the oaa is a state chapter of the national field archers association. they manage state membership to the national organization and sponsor several archery events throughout the year in the state of ohio. the events are either held at a single location or at various archery shops, statewide, during a specific weekend. these statewide competitions are known as mail-in events. for several decades, the oaa used excel spreadsheets to manage membership, registration and scoring. all of the membership and registration fees were collected in cash at the events. the association managed the events manually and had a very basic website that was created with a content management system called joomla! which is very similar to wordpress. their method of administering events, registration, membership, scores, etc. was time consuming but manageable when their membership was 150 people or less. it to a great deal of time and effort calculate the scores, notify the winners and distribute the awards. in addition, more time and effort was invested into managing the membership, the historic data and calculating points for the shooter-of-the-year award. the driving forces behind developing a complete online application for the oaa was it’s growing membership and a desire to do things in a better and more efficient way. the oaa online website/app was developed from scratch (without the use of any templates) in an active server page (asp/asp.net environment) for server-side programming with javascript to handle browser-side programming. all of their databases were developed in microsoft access and sql (standard query language.) the current website/app is built using a responsive design for the framework. with the current online app, the oaa can handle the following activities and data through any web browser. multiple people can be working in the app at the same time which proved to be very productive for them during an event for registration and check-ins. listed below are the basic areas that are now managed with the oaa online app: <ul> <li>master registration list</li> <li>register for events including paypal for registration fees and membership dues</li> <li>event scoring</li> <li>shooter-of-the-year (soy) points</li> <li>event medal labels</li> <li>historic shooting records</li> </ul> <ul> <li>events</li> <li>tournament/district breakdowns</li> <li>shooting classes/divisions</li> </ul> <ul> <li>protests</li> </ul> <ul> <li>election info/results</li> <li>photo galleries</li> <li>video galleries</li> <li>club info</li> </ul> <h3>the benefits of an online app.</h3> using the above example of the oaa, let’s look at some of these specific tasks - how they have changed and the benefits that were achieved with an online app. <h4>event registration/check-in</h4> before the app: in the past, event registration was done through handwritten forms that were mailed-in with the events fees either in cash or with a check. then the information was transferred to a spreadsheet. at the actual event, during check-in, all the information that was previously mailed-in had to be confirmed. event fees had to be collected for those who did not send in their money. if somebody was a walk-in, who hadn’t registered yet, their information had to be entere manually in the spreadsheet and event fees had to be collected. the main problems with this system were: <ol> <li>it was time consuming.</li> <li>all of the information was recorded manually leaving a lot of room for typos and errors.</li> <li>collecting the fees and handling a lot of cash at the events.</li> <li>only one person could do check-in at an event.</li> </ol> after implementing the app: after the development of the web-based app, the workflow changed dramatically which resulted in a considerable change in the effort and time it took to check-in competitors at the event. the new system requires people to register online. during the registration process several items are completed simultaneously. as they were creating their registration for that event, the person registering was also creating a master profile of themselves and their shooting style, age and class. this was done to make it more convenient for the competitors when they returned to register for future events which in turn promoted the use of the online registration system. returning competitors simply had to enter an email address or nickname to retrieve their information which automatically completed their registration form. because the end user was entering the data such as name, address, contact info, etc. there was less chance for an error. for more complex information and data, like shooting classes, javascript was used to control these entries where the competitors would enter their sex and age. then acceptable shooting styles given to them to choose from, which, in turn, would result in the appropriate shooting class and cost for the event. checking for errors was done extensively on all the entries for completeness and proper format (for example email addresses and phone numbers). once the competitor was finished registering, they were redirected to paypal to complete the registration with a payment. a paypal payment “success” and the transaction number were added to the registrant’s record in the database. the competitor would then receive a verification email that they were registered and payment was complete. during event check-in, the oaa could use several computers and tournament officials simultaneously to do check-in. the officials were able to quickly search for registrants, in a table format, that would show their name, class and payment status. for those who paid online, the officials only had to confirm the registrant’s shooting class and click a check-in box to confirm they were there. using this system, the amount of cash that was handled at an event dropped by 95% and amount of time it took check-in a registrant decreased from a 5-minutes to mere seconds. to summarize, these are the main benefits the oaa gained from using an online app: <ol> <li>it greatly accelerated check-ins.</li> <li>there was a significant increase in the accuracy of information. duplication of information was eliminated.</li> <li>cash flow was increased because registration fees came in throughout the registration time frame and not at the event.</li> <li>there was less handling of cash.</li> <li>there was overall streamlining of the entire registration process for both the registrant and the oaa.</li> <li>there was a reduced amount of paper to handle.</li> <li>check-in could be done by several people simultaneously.</li> </ol> <h4>event scoring, historic scores and soy points</h4> before the app: when an event was finished, the score cards were collected. the scores were then entered into a spreadsheet. once that was completed, the spreadsheet was sorted by shooting class and scores. a list was made of the winners (1st, 2nd, 3rd) for each class and the scores were reviewed to determine if there were any tie scores that required shoot-offs. the winners’ information was then copied to a microsoft word template to generate the labels for the awards. for the historic records, the process was completely manual requiring a comparison of scores from the current event to those of past events in separate spreadsheet. these records were often completed days after the event. shooter-of-the-year (soy) points were managed in another spreadsheet requiring a time-consuming process of transferring data and making calculations. this was process that wasn’t completed for several days to a week after an event. when there were only 100+ shooters at seven events in a year, this entire process was time consuming requiring a lot of manpower. now, with nearly 400 shooters and a growing enrollment of about 20% per year, the manual method of handling scoring is impossible. the main problems with this system were: <ol> <li>a very time-consuming process. with just 100 shooters, after an event was finished, it would take up to 30 mins. or more to manually tally the scores. then, it would take at least 30 mins more to generate the award labels to be presented to the winners.</li> <li>there wasn’t any simple mechanism to generate historic records – all of it was done manually.</li> <li>calculating soy points required more manual work in another spreadsheet.</li> </ol> after the app: after the development of the web-based app, the workflow for scoring decreased which resulted in a significant change in the completion of the events. the new workflow starts with collecting the score cards as before but the new online app has a special screen that allows scores to be tallied rapidly and efficiently with no manual, handwritten work involved. the screen is customized based on the type of event making the score tallying as simple and quick as possible. with this revised method, 150 shooters’ scores can be entered in under 10 minutes. once the scores are entered, the tournament officials can see, instantly, who placed where and if any shoot-offs are required. with another click all the historic information is updated. with a third click, the labels are for the awards including new high score award. with the final click, soy points are calculated in seconds. all of this information is immediately available on the website for viewing. in summary, main benefits of the online app: <ol> <li>a huge time benefit. completion time changed from a 2+ hour process (and several calendar days) to just 10 minutes.</li> <li>there is no manual management of the data and no spreadsheets.</li> <li>the historic information for past events is available indefinitely.</li> <li>the knowledge and skill required to complete event scoring is now minimal.</li> <li>the website data is updated immediately.</li> </ol> <h3>consolidating and dispersing activities all at once.</h3> as we have shown in the two detailed examples above, switching to a web based app increases efficiency and consolidates all the data in one place for immediate updating and viewing. another added benefit is that it disperses the tasks involved in scoring, membership and sponsoring events to multiple people working simultaneously from a single or multiple locations at once. whether you need to perform your tasks at your desk or on the road at an event location, all the data is housed, managed and available from a single location without any priority network. these few examples should provide you some ideas of how you can change your workflow through the use of an online app. a web designer/developer is the ideal individual to review and develop a streamlined workflow that will make your business perform more efficiently and effectively. Website Applications Sat, 15 Jul 2017 00:00:00 -0800 https://www.jpsdesign.com/blog/listing.asp?2017/7/What-is-an-online-application-and-why-you-should-consider-it