Maintaining your website involves undertaking activities that ensure the website is functioning and up-to-date. One exercise involved in website maintenance is website security.
For many businesses, practices that deal with website security only become a priority after an attack has occurred. One of the key motivations of website security is the fact that you do not require a big budget to protect your site effectively. All you need to do is put in place an effective approach that will be both proactive and defensive.
To help with that, this article will look at some of the common vulnerabilities of website security and recommended practices of security;
1. Injection Flaws
Injection flaws happen when you pass data that has not been filtered to the SQL server, browser, or LDAP server. That unfiltered data could contain commands injected by an attacker which can lead to;
- Data loss
- Reading of sensitive data
- Possible executions of administration operations on the database
To prevent this from happening, properly filter all inputs. Do this by making use of the framework's filtering capabilities.
2. Inadequate Transport Layer Protection
Applications are continually transmitting information over a network; authentication details, banking information, among others. Without proper protection, this communication can be vulnerable to attackers. The use of expired certificates or weak algorithms often affects transport layer protection.
Ensure your certificate has not expired and is valid and also enforce transfer only over HTTPS.
3. Broken Authentication
For every valid session, the website creates a session ID and cookie. These cookies have sensitive information. When the session ends, and the cookies aren't invalidated, the data remains within the system.
Utilising this vulnerability, someone could gain access and modify or disclose information.
4. Missing function level access control
This is mainly down to authorisation failure. A lot of people assume that since the server generates the user interface, a functionality not made accessible by the server cannot be accessed from that end of the system. However, if there is no means of authentication in place, a user can forge requests and gain access to the withheld server functionalities.
An easy remedy for this is always to have an authorisation done on the server side.
5. Cross Site Scripting (XSS)
Cross-site scripting, also known as XSS, are vulnerabilities that focus on scripts executed on the user's side, allowing an attacker to run the scripts on the user's browser.
They occur when an application sends untrusted data to the browser without validation. Since the browser is not aware of the validity of the script, it will execute it, making it possible for the attacker to either hijack session cookies or even redirect the user to malicious sites.
A solution to this is to avoid returning HTML tags to the client, whitelisting the input fields, or employing input-output encoding.
6. Unvalidated forwards and redirects
If there is a lack of proper validation during page redirecting, an attacker can redirect users to malware websites. The attacker sends a genuine URL but that which has been appended with an encoded URL that could be malicious.
One of the ways to protect your website from this type of vulnerability is to avoid the use of redirects altogether. If they cannot be avoided, opt against involving user parameters when determining destination, or make sure the value supplied is authorised for the client and is valid.
7. Sensitive Data Exposure
This vulnerability seeks to take advantage of inadequate resource protection. When dealing with confidential information and data, it should always be encrypted; when being transmitted through the network and when at rest.
It might be a bit harder protecting the sensitive data while in storage, but there are a few solutions to try. First, lower the exposure; if its data you do not need, then do not keep it. However, if the data stored is necessary, make sure it is encrypted and that the passwords are hashed. Remember not to save the encryption key with the data you're protecting.
8. Insecure Direct Object References
A direct object reference is when an internal file is exposed to a client or user. When this happens, all an attacker will need to do is provide the reference, and if there is no enforcement of authorisation, the attacker will gain access. With this access, an attacker can make modifications that could compromise the entire application.
Some prevention techniques include correctly and consistently performing user authorisation by implementing access control checks. You should also avoid exposing references in URLs. Store data internally, don't rely on data retrieval through CGI parameters.
9. Security Misconfiguration
If security for the application, database, and web server, frameworks and platforms are not properly configured, an attacker can quickly gain unauthorised access to the application's functionality and data.
Misconfiguration can stem from; running outdated software, exposing information about error handling, running services on the machine that aren't needed, among others.
The most effective solution to this is to make sure the architecture in place has good component separation and security.
10. Cross-Site Request Forgery (CSRF)
A cross-site request forgery (CSRF) attack happens when a 3rd party malicious website gets the user's browser to perform an action on site the user has authentication to. The attack makes the browser of a logged-on user to send a forged request to a vulnerable application.
The attacker makes use of the user's access to a particular site, and through this attack, can modify the site the user is logged onto.
A way to prevent cross-site request forgery is by using a hidden form field inaccessible to a 3rd party site, to keep secret tokens. Additionally, verify the hidden field regularly. Put mechanisms like unique request tokens or re-authentication in place and also make the user's presence necessary when handling sensitive processes.
Taking the time to familiarise yourself with common website security threats is a crucial step towards defending your website. Once you are aware of the dangers, put in place measures to help protect you from them; either by making design changes to the site or by installing software that will help keep your data safe.