6th October 2010
Blog >> Website Security Tips
Whilst backing up your website is of critical importance, there are a number of other equally important steps you should take to ensure the security of your website and server.
This article discusses common security mistakes and provides tips to help you secure your website.
Validation of Data and Data Poisoning
Any data inputs collected from your visitors must be fully validated for a number of reasons. Firstly you want to make sure you collect the right data (for example, a valid email address), but more importantly you need to consider how the data is handled.
For example, if you collect a data input on your website which forms part of a mySQL database query, if this input data is not properly validated it can create huge security holes. This may begin with enabling visitors to delete large portions of your database, or even worse, it may enable them to expose confidential data such as customer credit card numbers.
If you display data entered by your users then you must thoroughly valid it, most importantly to ensure any unwanted HTML is removed. Cross-site scripting attacks can be a huge threat, for example a visitor could post a simply piece of JavaScript on your site which detects any user cookies and sends the cookie data to a third-party site, within seconds your user sessions may be hi-jacked and their accounts compromised!
Some statistics suggest that half of all websites are subject to information leakage attacks, 1 in 5 websites are unprotected against SQL injection, and as many as 7 out of 10 websites are open to cross-site scripting attacks!
Direct Data Theft
Any data you store can potentially be viewed by your visitors. Always avoid storing data files on your website and instead store them on your server in a directory which is not web-accessible. If using a database (e.g. mySQL) then ensure your database user accounts use strong passwords and any default accounts are removed, if possible limit database connections to the local server.
You should always ensure any management tools are properly secured. Apache web server users should not rely on .htaccess authentication alone since a change in the server configuration can cause .htaccess files to be ignored, causing any security to be removed. Of course .htaccess authentication adds a useful additional layer of security, but this should be used in conjunction with additional authentication systems.
Malicious File Execution and DoS Attacks
Always beware unknown files, whether it's a file uploaded by a website visitor, or popular open source software, it should be considered potentially dangerous.
Many popular open source software packages are subject to vulnerabilities which can leave your website open to attack, and just because you're asking users to upload images doesn't mean they are - how does your profile photo upload behave when a user uploads a PHP file, does that PHP file become executable after the upload essentially giving any (appropriately skilled) visitor the ability to take complete control of your website.
DoS or Denial-of-Service attacks involve a huge number of requests which overload the server. For example, an attacked could simply request your homepage thousands of times in a few seconds to overload your server, causing your software to crash. Firewalls can be implemented to help reduce the threat of DoS attacks but these can be of no use if the malicious user has managed to upload a program which creates the load 'internally'.
Predictable Resource Locations and Error Handling
It may seem silly, but creating a directory called /contact/ for your contact page may not always be the best approach. Okay, perhaps it's not so important for your contact page, but do you have a 'secret' /admin/ directory, or perhaps a /phpmyadmin/ directory for your database manager? If so, you should consider hiding these resources so malicious users can not find them with ease. Enabling such tools to be easily found merely increases your risk of an attack, if the attacker can't find your control panel it makes it a lot more difficult to hack it...
In addition to this, how you handle your error messages is of critical importance. Your error messages must never contain sensitive server information or data, for example if a mySQL database query fails do you still display the query in your error message for your debugging. If you use IP address restrictions, do you show denied users a 'forbidden' error, or a 'file not found' error - returning a file not found error can create the illusion that resources don't exist.
Always restrict directory listings to prevent visitors from browsing the files on your website, this can be done by including index files in all your directories, or if you use the Apache web server software you can use .htaccess files to disable directory listings.
Authentication and Session Management
If your website uses authentication or sessions, what steps have you taken to prevent session hi-jacking? If you use cookies to store a session ID, do you store additional data to authenticate the session or could a user spoof a cookie and hi-jack another user's session with simple techniques such as cross-site scripting?
Always use SSL certificates and the HTTPS protocol for your authentication systems, and if you're using session cookies you should consider only using the HTTPS protocol and secure cookies. Further basic steps include implementing a session time-out feature to ensure sessions are closed even if a user forgets to log-out, and user profiling can be used to detect changes in usage - for example you should force a logout if the user changes browser, and debatably also if their IP address changes.
Phishing and Content Spoofing
Phishing is the process of tricking someone into believing that a website (or email, letter etc) belongs to an organisation it does not. For example, many of you will regularly receive emails from Facebook and PayPal asking you to login, these emails will contain links to login pages which look identical to the official login pages but they are not, they are hosted on different web sites and are used to trick you into logging in and providing your login details.
The best approach for stopping phishing is visitor education, always encourage your visitors to check the page URL before logging in and if possible, only use one URL for login as we do on myRepono.com. As many as 1 in 4 websites are subject to phishing and content spoofing attacks.
Useful Resources
Comments
Post Comment
| |
|
|
Tell us your backup stories!
Have you experienced a backup disaster? Please tell us about all your computing mis-haps and we'll include the best stories in our blog!
|
|