WEBSITE SECURITY TIPS

In this blog we're going to go through some of our top tips on making your website safe from hackers. You may have a personal/business website or just thinking about making one. You may be under the impression that your site has nothing worth being hacked for, but websites are compromised all of the time. A large majority of website security breaches are not just to steal personal data or to use cross site scripting to mimic another site. Hackers can attack and use your servers as a email relay for spam, set up a temporary web server, to hold files of an illegal nature. Other examples are, using your server/s as part of a botnet or to mine for Bitcoins. You might even be hit by Ransomware, meaning you would be forced to pay to have your files and folders accessible.

All of these are serious and without the right knowledge or understanding it can be very easy for these hackers to find holes and exploit them. It's quite common to see huge business get hit by security breaches on the news, I think this alone shows how hard it is to protect from such attacks. 

Hackers will regularly run automated scripts across the internet with intention try to catch holes in websites to which they can exploit. This is the main way how many casual businesses/individuals get caught out.

Now lets get into the top tips! 

Keep software up to date

It might seem very obvious to some users of the internet, but ensuing that you keep software up to date is vital in keeping your site secure. The reason why we have updates for applications, anti-virus software and operating systems, is because there are constantly new forms of attacks being discovered daily and patches will be made to these software, to make sure they will not be vulnerable from them. As you can already tell, not updating would mean if a new attack hit and you didn't have that security patch, you wouldn't be in the best situation.

In terms of website security, you would have to make sure the operating system on the web server was up to date along with any other software on there. If you're using a third party to host your website, then you don't need to worry too much as you will either be notified of a new update or better yet, they'll automatically update for you.

It can be quite tricky to keep up with all dependencies you may have running on your web server however, many developers use tools like Gemnasium to get automatic update notifications for when a vulnerability is found in one of your components of your website.

SQL Injection

SQL Injection is one of the most common attacks on websites as hackers can easily run scripts to gain data from a database. SQL Injection is a code injection technique that may destroy, edit or even add to your database. This form of attack is the placement of the malicious code in SQL statements which are then inputted into a web page input, such as a form.

Like previously mentioned SQL Injection usually occurs when the website is asking for a user input. This most commonly will be a form asking for username/userid however, the hacker will enter a SQL statement which will unknowingly run on your database. Below is an example of SQL code written for a form, it creates a SELECT statement by adding a variable (txtGetUserID) to a select string. That variable is then fetched from the user input (getUserID). 

txtGetUserID = getRequestString("GetUserID");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtGetUserID;

Now you may not be familiar with SQL however, it is still important to know especially if you're a web developer. Looking at the example which I have given above, the original purpose was to create a SQL statement to select a user from a database with a given id. This id is what the user inputs into the form. 

If there is nothing in place to prevent a user from entering a 'wrong' input (which should be nothing other than numbers). Then a hacker can enter the below code into the input box.

UserId: 105 OR 1=1

This would mean that the SQL statement would then look like this:

SELECT * FROM Users WHERE GetUserID = 105 OR 1=1;

The SQL statement above would be valid and in turn, return ALL rows from the 'Users' table, this is because OR 1=1 is always TRUE. So now you can imagine if that 'Users' table contained usernames and passwords for thousands of people how big of a security breach this would be. To protect a website from SQL injection you can use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

An example in PHP of this would be:

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) 
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

Error messages

This is only a small point to make however, should 100% be considered when developing your website. When developing your website most likely you will prepare outputs to the user when an error occurs, this error that can display information such as why the error caused and details of the code. You must be careful with how much information you give away in your error messages as you want to make sure they don't leak secrets present on your server (database passwords). Keep your detailed error in the server log and only provide the user with information they need.

Passwords

Now a days everyone is mostly educated with the knowledge that you must use a strong and complex password. It is crucial to use strong passwords for your server and web admin area on a CMS but also just as vital to insist users to create strong passwords to protect their accounts.

If you are going to sign up for a website you will find most run by a similar password requirement, this is something along the lines of being 8 characters, including an uppercase letter and a number; reducing the chances of it being accessible. Passwords should be stored in a database as a encrypted value. One way in which you can do this is using a hash algorithm such as SHA. The process in which SHA works is to take the user password run it through its algorithm that turns the password into an output of a fixed size, which will be a mix up of numbers and letters. When the user logs into the system their password is again hashed and then only the hashed values are compared.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best way a hacker could gain access is using a dictionary or brute force attacking meaning they essentially are try to guess as many combinations as they can until they get though. As you can imagine this is highly unlikely to be successful; if you're using strong passwords.

Validation

Validation much be done always on the client side and the server side. The browser can catch simple failures such as mandatory fields being empty or someone entering text into a numbers only form. These can be bypassed so it is a must that your server side is set up for validation as failure to do this could lead to malicious code being inserted into your database which obviously could provide a heap of problems.

XSS (Cross-Site Scripting) 

Cross-Site Scripting is very effective as many users will unknowingly be on a website while a hacker is stealing their information. XSS works as it injects malicious JavaScript into a webpage, this will then run in the browser of users and can then change page content and steal data to send back to the attacker. An example of this would be if you had a website which had a comment section and this comment input form didn't have validation. The attacker can then enter script tags and JavaScript into the input field, which this code would then run in the browser of every user and steal their login cookie. This would allow the attacker to then take control of all the user accounts who viewed the comment. This links in with the validation section previously mentioned as you need to make it vital that users cannot enter active JavaScript content into your webpages.

HTTPS

Despite the fact that HTTPS doesn't stop malware, phishing, spam, attacks on vulnerable sites or other various internet attacks, it is still good at what it does. It wasn't made to stop these sorts of attacks however, just secures the connection between the host and the website. 

The shift towards using HTTPS is great for the internet and Google have been trying to push most sites to use it and sites that don't get pushed go to the bottom of the pile. It works very well at stopping man-in-the-middle attacks as it will make sure the connection between the user and the web server cannot be intercepted and this is why it is widely used for payments, so personal data cannot be stolen.

File uploads

Allowing users to upload files to your website can be a big website security risk, even if it is to change their profile image for their account. The risk being that any file uploaded could contain malicious script which could run at any moment and take the website down. If your website has a file upload section then you need to make sure each upload in treated with great suspicion and validation is required. You cannot rely solely on the file extension to verify that a file is an image as this can be easily faked. Some image formats also allow for a comment section to which malicious code could be entered.

In order to stop this you want to ensure that users are stopped from being able to execute any file they upload. By default web servers won't try and attempt to execute files with image extensions however, they don't completely check the file extension as it has been sent; the below name has gained access through servers multiple times. (image.jpg.php)

The below code shows an example of a .htaccess fie that will only allow access to set files preventing the double extension attack previously mentioned.

deny from all

     <Files ~ "^\w+\.(gif|jpe?g|png)$">

      order deny,allow

     allow from all

     </Files>

Feel as if you've learnt something today?

Hopefully reading this you have picked up some useful points to consider when developing and maintaining websites. If you've any further questions or are in need of a website developing then be sure to contact us using nowthen@steelstudios.co.uk or call on 08712374432. We can discuss further and build to meet your needs!