The issue of website security has been a top priority for web designers and developers for a long time. In the course of Internet’s colorful history, a lot of methods and tools have been developed (and some are still at the brink of development) to ensure that websites will be hack-proof, or at least be ready for some serious hacks.
What drives all the motivation to lock-down websites is, of course, business. As we all know, websites drive income and leads for a lot of companies.
These companies thrive to target the new market. This market mainly resides in the digital world, to further increase their chances of conversion – and in the near future – income.
On the other hand, some websites prosper mainly from driving traffic and converting clicks into cash. Blogs are great examples. They mainly sell information, which can be used to create tangible and perceivable products.
Either you may be designing an online store, a niche blog, or maybe even just a corporate website, protection should always be put in mind.
Now, as a web designer/developer, you are tasked to not only create beautiful and running web pages but also to keep it protected from parties that would want to penetrate and take advantage of it. You need to enforce security measures to prevent the dreaded situation of being hacked.
There are a lot of ways of hacking a website. By this, many measures should be implemented to prevent these unfortunate situations. However, there is no single fool-proof way to prevent and eradicate hackers. The best thing you can do is to make the invasion really difficult to a point where the hacker just gives up.
In this article, you will know the measures you could take to make your website ready for a possible breach. You will also be reading some of the most common techniques hackers use to compromise your website’s security.
Common Hacking Methods
As I’ve said, there are various methods in penetrating through a website’s security. Hackers employ these methods to destroy or manipulate the website they are about to hack. We are introducing these to you so that you can apply your security measures to prevent and fight such shenanigans.
SQL Injection
You cannot deny that SQL Injection is listed as one of the most dangerous attacks against websites and systems. It mainly involves the input of SQL codes into forms like login fields or even in the browser address field. Doing so will give the hacker access to the database of the website or system.
Once you enter your username and password in the login forms, the data that you are keying will be inserted into an SQL command. The said command will check the data that you just entered and compare it against the relevant table in the database.
Once the two values match, you will be granted access. Otherwise, you’ll not be able to log in.
SQL Injection attacks happen when a hacker tries to paste SQL commands into your website fields. In some normal cases, the website will just check the data being entered by the user and validate it.
In the event that a data contains a simple single quote (‘) at the end of a username, your database might see this one as a constructed SQL. Because of this, it will be validated as a query.
The hackers may not enter your website using this query, but the method will let them have access to your database name, tables and key fields. From these data, the hacker can now use the information he has to submit SQL commands into the other fields of your website. From then, they can see the contents on your database.
How do I defend my site against this?
- Ensure correct data types
- Parametrized queries
- Permissions
- IIS global filtering
- Leave validate request on
- Consider using an ORM
Cross Site Scripting (XSS)
Commonly known as XSS, Cross Site Scripting is one of the more difficult hacks to deal with. In the past years, Microsoft, MySpace and Google have had a difficult time dealing with such cases.
XSS deals with the use of malicious JavaScript routines that are attached within hyperlinks to take control over sessions, hijack ads in apps and steal personal information.
You will surely remember this: You accidentally clicked a weird looking pop up and it leads to a website that seems like a messenger app. Then a cute girl with a seemingly questionable English chats you up and says, “You wanna see my p*ssy? Click here.”
With the what-the-hell-she’s-hot-anyway mentality, you click the link and an address with a sketchy URL appears:
[%63%61%74%69%6f%6e%3d%274%74%70%3a%2f%2f%77%7…]
At some point, you may think nothing has happened. But boy, you have never been so wrong in your life. These links can help steal session cookies (sounds like you’re being bullied) that can possibly lead to hijacking your personal information.
How do I prevent this hack from happening?
- Never insert untrusted data except in allowed locations.
- HTML escape before inserting untrusted data into HTML element content.
- Attribute escape before inserting untrusted data into HTML common attributes.
- JavaScript escape before inserting untrusted data into JavaScript data values.
Authorization Bypass
Simple as it may present itself, authorization bypass is very scary! Often used against poorly designed apps or CMS, this hack can wreck a total havoc in your website.
It works in this simple process:
- Look for a weak and poorly secured log-in page.
- View the source code.
- Copy the code into notepad.
- Delete the authorization JavaScript and change a link or two.
- Save.
- Delete the authorization JavaScript, amend a link or two.
- Open the file into the browser, login and press enter.
- Voila. Access!
How to determine if my website is vulnerable?
- Are your server’s processes run on root, Administrator, LOCAL SYSTEM or other privileged accounts?
- Does your web app access the database via SA or other accounts?
- Does your application have the ability to access the database via accounts with more privileges than required?
- Do your application server virtual machines run with AllPermission or FullTrust in J2EE and .NET environments?
- Can you limit access to web resources using platform capabilities?
If yes, to even just one, then, you might be vulnerable.
Read more here: Owasp
How can I protect my website?
- Your website’s development, test and staging environments should be set up using the lowest possible privilege.
- Make sure that the accounts that run the environment have privileges capping up to the greatest degree possible. Your servers should never run Administrator, root, sa, sysman or supervisor processes.
- Limit your user accounts to enough privileges corresponding to their tasks.
- Business user accounts should not be given admin status and vice versa. You need to use different accounts for different tasks.
Now, there are many types of hacks. The most common hacking techniques have been discussed. If there are something missed, please lead to the following links for more detailed information:
Common Safety Measures to Prevent Hacks
Always Keep Your Plugins and Software Up-to-Date
Nothing can make a hacker’s ears clap than an outdated plugin or blogging program. They commonly fall as easy targets for outdated programs commonly have glitches, bugs or security loopholes. That is the main reason why they are updated in the first place.
Let’s put it this way, you are using a model of a door lock that has been lockpicked a thousand times. Would you expect the next lockpicker to have a difficult time in cracking your security?
So, heed this advice, update now.
Use Strong Passwords
How many times does this have to be stressed out? Using strong passwords is very important. You may not have an idea about this but hackers are continually trying to crack or steal your passwords..
So, how do we craft an effective password?
Salt Method
Salt Method is a great way to keep your password secure. According to the principle, you should replace letters or numbers into special characters according to your own rule. We put this as an example.
- Replace all the ‘a’ with @
- Replace all the ‘s’ with $
- Repalce any space with %
- Replace any ‘o’ with 0
- Replace any ‘i’ with !
So with this, we may make our sample password which is originally ‘whoisjohngalt’ as ‘wh0!$j0hngalt’.
- Business Insider’s Method
Business Insider recently released a method to create secure passwords that can be very easy to remember. According to the magazine, you should make a longer password because it will give computers longer time to guess it.
The basic principle of this method is that you create a really long passwords using words that may not be significant to you or to each other.
- Spence’s Method
We at 1stwebdesigner have also developed our own method of creating strong passwords. Here is a video of it:
Use Google’s Webmaster Tools
Google has now a way in helping your website to be more secured. Using Webmaster Tools, you will be notified for the presence of malicious infections.
In case that you fail to remove them and you become hacked, Google will help you by blacklisting your website. This provides you time to get rid of malware faster. The service also includes the details of the problem Google is detecting.
Don’t Display WordPress version number
Aside from updating your blog platform, you should always prevent hackers from knowing what version of WordPress you are running on.
Doing this will prevent them from exploiting security loopholes on your site. You can remove the WordPress version number by editing the functions.php of your site and add the following code:
function wpbeginner_remove_version()
return '';
add_filter('the_generator', 'wpbeginner_remove_version');
Turn register_globals to register_globals=off
Many WordPress users have been vulnerable because they took this for granted. Despite being recommended by WordPress.org to leave register_globals on, you should turn it off because this setting has been the commonly hacked element in a WordPress site.
Tighten your .htaccess file’s security.
Normally, your default .htaccess security is more open that it should be. However, you can tweak it to save you from URL hacks, SQL injections and other more hacks.
There are a lot of ways to tweak your .htaccess, but we’ll name the most useful ones (remember to back up):
- Order allow,
- Deny deny from all
Add the following and you will be able to sleep tight at night, knowing that bots and unwanted access will not be allowed from your wp-admin.php file. You can also include this method to other files like install.php and eror_log.
Here are a few more codes to put in your .htaccess file.
RewriteEngine On RewriteBase / RewriteCond %REQUEST_METHOD ^(HEAD|TRACE|DELETE|TRACK) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %QUERY_STRING \.\.\/ [NC,OR]RewriteCond %QUERY_STRING boot\.ini [NC,OR]RewriteCond %QUERY_STRING tag\= [NC,OR]RewriteCond %QUERY_STRING ftp\: [NC,OR]RewriteCond %QUERY_STRING http\: [NC,OR]RewriteCond %QUERY_STRING https\: [NC,OR]RewriteCond %QUERY_STRING (\|%3E) [NC,OR]RewriteCond %QUERY_STRING mosConfig_[a-zA-Z_]1,21(=|%3D) [NC,OR]RewriteCond %QUERY_STRING base64_encode.*\(.*\) [NC,OR]RewriteCond %QUERY_STRING ^.*(\[|\]|\(|\)||Ăª|"|;|\?|\*|=$).* [NC,OR]RewriteCond %QUERY_STRING ^.*("|'|<|>|\|{||).* [NC,OR]RewriteCond %QUERY_STRING ^.*(%24&x).* [NC,OR]RewriteCond %QUERY_STRING ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]RewriteCond %QUERY_STRING ^.*(globals|encode|localhost|loopback).* [NC,OR]RewriteCond %QUERY_STRING ^.*(request|select|insert|union|declare).* [NC]RewriteCond %HTTP_COOKIE !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] Source: RoalCoal
My Website Has Been Hacked. What Should I do?
Say that it’s too late and you have already been hacked. What would you do?
Don’t start banging your head into the wall yet. Smashing Magazine has this wonderful article. Read it.
Conclusion
Being hacked sure is a headache. You basically see your efforts crumbling down like a tower made of pastry. But an ounce of prevention will always be better than a pound of cure. So, while you’re still okay, fix everything you need to fix before it all goes gaga.
Is My Website Ready for Some Serious Hacks?
Geen opmerkingen:
Een reactie posten