How to protect website from hackers
Protecting Websites From Hackers
1. Keep
software up to date
It may seem obvious, but ensuring you keep
all software up to date is vital in keeping your site secure. This applies to both
the server operating system and any software you may be running on your website
such as CMS or forum. When website security holes are found in software,
hackers are quick to attempt to abuse them. If you are using a managed hosting
solution, then you don’t need to worry so much about applying security updates
for the operating system as the hosting company should take of this. If you are
using a third-party software on your website such as CMS or forum, you should
ensure you are quick to apply any security patches. Most vendors have a mailing
list or RSS feed detailing any website security issues. WordPress, Umbraco and
many other CMS’s notify you of available system updates when you log in.
2. SQL
Injection
SQL injection attacks are when an attacker
uses a web form field or URL parameter to gain access to or manipulate your
databases. When you use standard Transact SQL it is easy to unknowingly insert
rogue code into your query that could be used to change tables, get information
and delete data. You can easily prevent this by always using parameterized
queries, most web languages have this feature and it is easy to implement.
Consider this query:
\ESELECT * FROM table WHERE column =
‘\parameter \’;\
If an attacker changed the URL parameter to
pass in ‘or ‘1’ = ‘1’ this will cause the query to look like this:
\ESELECT * FROM table WHERE column = ‘’ OR
‘1’ = ‘1’;\
Since ‘1’ is equal to ‘1’, this will allow
the attacker to add an additional query to the end of the SQL statement which
will also be executed.
3. XSS
Cross site scripting is when an attacker
tries to pass in JavaScript or other scripting code into a web form to attempt
to run malicious code for visitors of your site. When creating a form always
ensure you check the data being submitted and encode or strip out any HTML.
4. Error
Messages
Be careful with how much information you
give away in your error messages. For example, if you have a login form on your
website, you should think about the language you use to communicate failure
when attempting logins. You should use generic messages like “Incorrect
Username and password” as not to specify when a user got half of the query
right. If an attacker tries a brute force attack to get a username and password
and the error message gives away when one of the fields are incorrect then the
attacker knows he has one of the fields and can concentrate on the other field.
Keep your error messages Vague.
5. Server
side Validation/ form validation
Validation should always be done both on
the browser and server side. The browser can catch simple failures like mandatory
fields that are empty and when you enter text into a numbers only field. These can
however be bypassed, and you should make sure you check for these validation
and deeper validation server side as failing to do so could lead to malicious
code or scripting code being inserted into the database or could cause
undesirable results in your website.
6. Website
security tools
Once you think you have done all you can
then it’s time to test your website security. The most effective way of doing
this is via the use of some website security tools, often referred to as
penetration testing or pen testing for short.
There are many commercial and free products
to assist you with this. They work on a similar basis to script hackers will
use in that they test all know exploits and attempt to compromise your site
using some of the previous mentioned methods such as SQL Injection.
Some free tools that are worth looking at:
·
Netsparker (Free community edition and trial
version available). Good for testing SQL injection and XSS.
·
OpenVAS. Claims to be the most advanced open
source security scanner. Good for testing known vulnerabilities.
No comments: