How to Secure a Website

Introduction

Website security is a major challenge these days. The security of user information and data is a big challenge for the web site administrators especially for the sites where online transactions being performed by using the Credit/Debit cards. While creating the website most of the times security is not giving highly considerations which laid the foundation for the hackers to attack and pull the information from the site. Hacking is regularly performed by automated scripts written to exploit known website security issues in software. Here are our top 7 tips to help keep you and your site safe online.

SQL Injection

SQL injection is a common hacking technique used by the hackers to hack the data driven applications. Using SQL injection hackers can easily exploit a security vulnerability in any web site. The attackers uses a web form fields or URL parameters to gain the access of the database and manipulate the database. A SQL query is a request for some action to be performed on a database.

Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a SELECT query. SQL Injection can be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries, most web languages have this feature and it is easy to implement.

Example-1

Consider this query:

“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”
If an attacker changed the URL parameter to pass in ‘ or ‘1’=’1 this will cause the query to look like this:

“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;
Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.

Example-2

SQL Injection Based on Batched SQL Statements

Most databases support batched SQL statement, separated by semicolon.

SELECT * FROM Items; DROP TABLE Vendors

The SQL above will return all rows in the Users table, and then delete the table called Suppliers.

If we had the following server code:

txtUserId = getRequestString(“ItemId”);
txtSQL = “SELECT * FROM Items WHERE ItemId = ” + txtItemId;

And the following input:

Item id:
105; DROP TABLE Suppliers
The code at the server would create a valid SQL statement like this:
Result
SELECT * FROM Users WHERE ItemId = 105; DROP TABLE Vendors

XSS

Cross-site scripting (XSS) is a code injection technique that allows hackers to execute malicious JavaScript code for the users of your site. In this technique the attacker didn’t directly target the user but he exploits the vulnerability in the website and executes the malicious code. The malicious JavaScript appears to be
a part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

The Consequences of Malicious JavaScript

• Cookie theft: The attacker can access the victim’s cookies associated with the website using document.cookie, send them to his own server, and use them to extract sensitive information like session IDs.
• Keylogging: The attacker can register a keyboard event listener using addEventListener and then send all of the user’s keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.
• Phishing
  The attacker can insert a fake login form into the page using DOM manipulation, set the form’s action attribute to target his own server, and then trick the user into submitting sensitive information.

Read the article on how to avoid XSS attack, http://excess-xss.com/

How to Avoid XSS Attack

• Encoding, which escapes the user input so that the browser interprets it only as data, not as code.
• Validation, server side validations must be placed to detect & validate the malicious JavaScript code

Open Source Libraries for Preventing XSS Attacks

• PHP AntiXSS: This is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. It automatically detects the encoding of the data that must be filtered. Using of the library is easy. You can read more about it here: https://code.google.com/p/php-antixss
• Xss_clean.php filter: This is a strong XSS filter that cleans various URF encodings and nested exploits. The developer built the function after analyzing the various sources. This coding of the function is available for free from github. See here: https://gist.github.com/mbijon/1098477
• HTML Purifier: This is a standard HTML filtering library written in PHP. It removes all malicious code from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks.Read more about HTML Purifier here: http://htmlpurifier.org
• Xssprotect: Xssprotect is another nice library that gives developers a way to clean XSS attack vectors. This Library works by creating the HTML tag tree of the webpage. Then it parses the page and matches all tags. After that, it calls the filter interface to filter improper HTML attributes and XSS attacks. This library is written in Java. Read more about this library here: https://code.google.com/p/xssprotect
• XSS HTML Filter: This is another XSS filter for Java. It is a simple single-class utility that can be used to properly sanitize user input against cross-site scripting and malicious HTML code injection.
  Read more about this library here: http://finn-no.github.io/xss-html-filter

Server Side Validation

Validations should be done on the server side also to ensure the security of the application. The hackers can bypass the client side validations easily by using the JavaScript code. If there’s no server side validations applied then hacker might be able to inject the scripting code into the database or could cause undesirable results in your website.

Use Strong Passwords

The passwords should not be simple like “helloWorld” or using the first or last name as part of the password. It is also seen that users tend to set password that also reflects in their personal information. This password policy should be highly discouraged since, it becomes very easier for the hackers to guess the password.

Brute force attacks that try guessing username password combinations have multiplied at alarming rates over the last couple of years with thousands of attacks being detected on a daily basis across the web. Using strong passwords is an effective way to limit if not completely eliminate brute force and dictionary attacks. Make sure your password is a combination of alphanumeric characters, symbols, upper and lower case characters and is at least 12 characters long to prevent brute force attacks.

It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
The websites should stored the passwords as encrypted values, preferably using a one way hashing algorithm such as SHA or MD5. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password. For password hashing you can see the following article, https://crackstation.net/hashing-security.htm

The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.

File uploads

Uploading the files on the server either in the form of documents or images can be a security risk if not handled properly. A lot of sites allow users to upload their pictures or documents. The risk is that any file uploaded, could contain a script that when executed on your server completely opens up your website.

So what can you do to prevent this? Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can’t be executed. If using *nix you could create a .htaccess file (see below) that will only allow access to set files preventing the double extension attack mentioned earlier.

    deny from all
    <Files ~ "^\w+\.(gif|jpe?g|png)$">
    order deny,allow
    allow from all
    </Files>

The following are the few tips for secure file upload

• Allow only authorized users to upload a file. You can add a captcha as well to hinder primitive bots.
• Set the MAX_FILE_SIZE in your upload form, and set the maximum file size and count on the server as well.
• You should check the mime type and content type sent by the hacker. You should create a whitelist of allowed mime types. Allow images only if any other format is not necessary. Any other format is a security threat
• Check the image header
• The files should be stored in a folder outside of the webroot or in the database as a blob.

Switch to HTTPS

Moving your website from HTTP to HTTPS to provide extra security over the internet. HTTPS or Hyper Text Transfer Prot Layer) to your HTTP making your users’ and your own data e ocol Secure, is a secure communications protocol that is used to transfer sensitive information between a website and a web server. Moving your website to the HTTPS protocol essentially means adding an encryption layer of TLS (Transport Layer Security) or SSL (Secure Sockets xtra secure) from hacking attempts.

HTTPS provides authentication of the website and associated web server. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication.

The HTTPS is necessary for the websites which have online transactions and sites uses credit card or other sensitive information to process the transaction.

Make Admin Directories/URL Tough to Spot

Hackers can use scripts that scan all the directories on your web server for giveaway names like ‘admin’ or ‘login’ etc. and focus their energies on entering these folders to compromise your website’s security. Most popular CMS’s allow you to rename your admin folders to any name of your choice.

If you are using any CMS like Word Press make sure you have changed the admin folder names. Pick innocuous sounding names for your admin folders that are known only to your webmasters to greatly reduce the possibility of a potential breach. Change the publically access admin URL of your site if you are using any popular CMS.

This is such a basic and easily avoidable hacking scenario, that it’s astonishing how millions of websites still ignore it.

Conclusion

Website Security is a very important aspect which must be taken to consideration. A successful attack on your site not only leads to compromising of users’ data and your own information, it can also lead to a blacklisting of your site by Google and other search providers as your infected site risks spreading malicious content throughout the web. The tips defined in this blog will be very useful to make any site secure. Implement at least these basic steps right away, to avoid being a soft target for malicious hackers.

Blog Post