Securing data always remains a challenge while we are witnessing the growth of technology at an amazing pace. The more secured your website, the more the chances of users accessing your website. Whether it is e-commerce website, social media websites or any other company website, every online platform is prone to one or the other form of security threat. It is very important to be aware of the security threats and be prepared for handling it. Organizations now use advanced technologies and heavy security testing to keep their website safe and protect customer privacy. Security testing is not just restricted to testing team, development team too plays important role in ensuring Security constraints.

What’s the risk?

Hackers are increasing day by day who are in continuous search of vulnerable website. It’s essential for an individual or an organization to take steps for protection of their data. Although various tools and technologies are available to handle the threats, protecting your website is possible only by continued effort. Hacked website is a terrible thing that causes lot of distress to both owner and the customers. A website that is victim of abuse will poorly reflect on your business and brand. Enough proactive measures must be taken to ensure all preventive steps are taken for better security in long run.

Sources of Security Risks

Security threat to websites and apps come in many forms today. While online threats are continuously evolving, following are very popular among hackers:

Malware – Short computer programs that attempt to get access to computer without user consent. It can be virus, worm or Trojan. Virus is a program written to damage or delete your files/contents from your computer. Worms do not cause any harm to your data, but replicates it again and again. Due to its replication nature, it takes lots of memory space degrading computer performance and consuming more network bandwidth. A Trojan horse is a destructive program (not a virus) that looks like a genuine application. Trojan horses do not replicate, but if enters your computer, can give access to your confidential information to unwanted users.

Spoofing – Computer or a user pretends to be another, usually one who has higher privileges to attack system to damage data or to deny access. Many of the TCP/IP protocols do not provide mechanism to authenticate source or destination of a message. When extra precautions are not taken by applications to verify identity of sending or receiving host, it becomes vulnerable to spoofing attacks. Firewalls can help prevent spoofing attacks.

Spamming – Electronic spamming is sending of messages repeatedly. There are many forms of Spamming like mobile phone messaging spam, internet forum spam, junk fax transmissions, social spam, search engine spam etc. E-mail is the most widely recognized Spam.

Phishing – Hacker send email that look legitimate to recipient asking for confidential information. Recipient fall into such tricks and provide the login information or other important banking details thus, hacker get access of their confidential information.

SQL Injection – SQL Injection is Code Injection technique in which malicious SQL code is inserted into an entry field for execution. Top websites are vulnerable to Injection flaws especially, SQL Injection Flaws. By employing injections, hacker can have your code run unintended commands or accessing unauthorized data.

website security attacks

Web attacks

How can the risks be prevented?

SQL Injection: Here, the hacker makes use of web form field or URL parameter to manipulate data or to get sensitive data. For example, consider following query to get log in credentials:

SQL Injection

SQL Injection

SELECT * FROM Users WHERE user_id = ‘my’ and password=’test’;

Now, the hacker enters ‘OR 1 = 1; /* in Email id text field and */– in the password, the query on execution would look like:

SELECT * FROM Users WHERE user_id =’  ‘OR 1 = 1; /* and password=*/–

This will display all users in Users table.

There are several automated scanning and detection tools available in the market to handle SQL Injection, however, best way to avoid such attack is proper code review as complete coverage involves manual code review and manual testing along with usage of detection tools.

Cross Scripting: Cross Scripting (XSS or CSS) is one of the most common application layers hacking technique. Here, hacker attempts to insert JavaScript, VBScript, ActiveX, HTML etc code into the dynamic pages in attempt to run malicious code. The use of XSS might compromise private information, manipulate or steal cookies, execute malicious code to generate undesirable results, create request taking others’ identity. This is the most prevalent form of security attacks. One way of protecting from XSS attack is to have all the code pass through some kind of filter that will omit keywords like <SCRIPT> tags, JavaScript commands, CSS tags and other notorious HTML Markup (the ones that contain event handlers). There are many libraries available to implement filter mechanism, which one you choose will depend on your back end technology. Ensure you always use updated filters for better security as XSS techniques keep changing and new ones keep emerging all the time.

cross scripting

XSS attack

Error Messages: Be careful about the error messages that get displayed when user enters incorrect data. Always give generic messages. For example, when a user fails to enter correct username/password, give message like “Invalid username/password”. Giving exact information about what went wrong can give hacker the clue that he has reached halfway correctly and need to focus only on rest of the part.

Server/Browser side validation: Validation must be used at both browser and server end for better security. Simple failures like invalid phone format, numbers only, blank field etc. can be found by form validation itself; however, using stronger server side validation can help prevent malicious code that can bring undesirable results in your website.

Password: Always practice for using stronger passwords. Your password must be a combination of special characters, numbers and upper case letters. Passwords must be hashed while storing in database.In case your data get stolen, damage can be minimized if the password is encrypted as decrypting them would not be possible.Plain hashing is not sufficient for security of passwords. You can make encryption more secured by adding salt to your password. Salt is a randomly generated string inserted before or at the end of the password to generate randomized hashes. As shown in below example, it makes a password hash into completely different string every time. Salt is stored in user account database along with hash, or as part of hash string itself. Salt must not be re-used; new random salt must be generated every time user creates a new account or change password.

011

File Uploads: In today’s modern web applications, it has become necessary to provide option for file uploading. Various social networking applications like Facebook, Twitter etc, blogs, forums, and other websites provide option to upload files, pictures, avatar, videos and several other kind of files. The more this feature is available in website, the more the website is prone to malicious attacks. Sometimes an uploaded file may contain a malicious script that can just open up the entire site. Below are mentioned some best practices if implemented while uploading a file can help you have secure file uploads:

    • Define a .htaccess (Hypertext Access) file  - A configuration file used by Apache based web servers  that has ability to password protect folders, deny access to unwanted users, redirect users to another page, change the way files with certain extensions are utilized etc.
    • Do not place .htaccess file in the folder where your uploaded images will be preserved. Save it in parent folder.
    • Provide list of acceptable extensions for a website in the .htaccess file with proper deny/allow permissions. That way, only allowed files can be uploaded by any user and can also limit access to each file type.
    • Always store files in a different folder outside of the web root.
    • Avoid overwriting of files (to prevent .htaccess overwrite attack)
    • Create a list of acceptable mime-types
    • Generate a random file name and add previously generated extension. Use unique file name to uniquely identify each file name.
    • Implement both client side and server side validation for extra security.

SSL: SSL(Secure Sockets Layer) is a protocol used to provide security to websites over Internet. If the communication channel is not secured while transmitting confidential information between website and web server or database, hacker can easily get access to user accounts and personal information. SSL helps overcome this security threat by establishing secured connection between browser and web server. SSL allows confidential information like SSN, Credit Card details, log in information etc to be transmitted securely over network. SSL certificates have a key pair – public and private key. These keys work together to establish encrypted connection. The certificate also contains the identity of the website owner. Once the web server has SSL Certificate installed and the communication between client and server is secured, it gives trusted environment to the visitor indicating that their connection is secured. Browser assures visitors that their connection is secured by displaying a lock icon or a green bar and URL starts with https:// than “http:”

Do everything you can to reduce chances of being hacked. Stay up-to date, limit access to resources, use strong passwords and password storing techniques, and constantly monitor your site. These are some simple steps that if carefully considered can protect your data and website from hackers. I hope this gives readers an idea on how to plan while considering security aspect of their data and website.

Susan B. John