Website Security — Help Protect Yourself From Common Hacks and Weaknesses

By Category: Security

skull-security-blogWebsite security is too often an aspect handled in a lackadaisical, reactive manner instead of with a proactive mentality, which keeps security in mind from the beginning of a project. Nonetheless, many web developers do not even learn how to properly develop code that is secured against the handful of most common vulnerabilities.

One of the most important tactics that should be kept in mind at all times is to sanitize all data coming from user input. The number of vulnerabilities in a website increases in correlation with the complexity of a website and its inputs for data. It only takes a single weakness to spell chaos for even a highly complex site. Thus, complex websites require even greater scrutiny to deter being hacked.

If your website already exists, then it is highly recommended to request a security audit, also known as a penetration test, which can provide analysis into where vulnerabilities exist in your current system. The next step is to actually have your system secured against those weaknesses. Usually, even more weaknesses are found during the patching of a system because the system is being viewed from the inside, whereas most security audits (especially software) only search for weaknesses on the front-end of a website.

If your website does not exist yet, then you will want to develop secure code from the start. There are several types of exploits that are most commonly used to attack websites. Some of the most popular types of vulnerabilities are the following: SQL Injection, Cross Site Scripting, Local / Remote File Inclusion, Cross Site Request Forgery. It is important to know where these types of exploits are often found.

SQL Injection

SQL Injection is the most terrifying type of exploit because of its prevalence and severity of consequences. It refers to a hacker’s ability to inject their own SQL code into your website’s innocent attempt to use a SQL database for something as benign as displaying a blog post. For example, you have a website that uses a database, like a WordPress site, to hold and manipulate data that is displayed on your website. An attacker may be able to maliciously enter their own database query through an input for data, which could return sensitive data like user passwords. Any code that interacts with a database should be thoroughly secured against improper user input.

Cross Site Scripting

Cross Site Scripting is a very common type of vulnerability. It is possible to find anywhere that user input is displayed on a webpage. Essentially, the hack involves an attacker posting malicious JavaScript code onto some webpage like a blog post’s comments section. If the attacker’s data is not sanitized, then the JavaScript could steal cookies from unsuspecting users that are viewing the comments section of the blog post. The attacker can use these stolen cookies to hijack the victim’s logged-in session. This is particularly dangerous when the victim is a site administrator or the victim’s data at stake is sensitive.

Local / Remote File Inclusion

Local / Remote File Inclusion is not as widespread as the first two types, but it can be the most devastating vulnerability of all. This is mostly found where you allow users to upload their own files to your website. The most common problem is not filtering which file types may be uploaded. For example, an attacker might try to upload a PHP file through an image upload page. If the PHP file is not disabled from being uploaded, then it could be used to take control of your webserver / website.

Cross Site Request Forgery

Cross Site Request Forgery is a type of vulnerability that is grossly abundant. It is not always of much danger, but it can provide a hole in an otherwise highly secure system. Typically, CSRF is found wherever you provide your users the ability to fill out a web form. For example, you might have a page where your site’s members may change their login password. This can be exploited by an attacker who secretly forces a user to send data on their behalf. In other words, a user who is logged into your site could go to a malicious page hosted by the attacker, which sends a web form submission without the user knowing. That form submission would actually entail a new password being set by the attacker such that they may login to the victim’s account. Your website thinks the user genuinely changed their password, but the user does not know that anything happened.

While developing secure code goes without saying, it is also hugely important to keep up with software updates on all levels, from blog platforms to webservers to your personal computer. You must not forget about security after launching your project. It is a necessity to remain vigilant in your stand against weaknesses across your systems.