You may feel that your website will never be hacked but you cannot be completely sure, as continually new vulnerabilities are identified by security researches that makes web application vulnerable even for the smallest reasons. All you can do to keep your website safe, is follow all the security protocols required to keep hackers and malicious users away from using web applications. Websites are breached not only to steal important data, but also to use your web application as an email relay for spam, usually to serve resources used in illegal work. In order to hack a website, known website security issues are exploited through automated scripts.
Here are our top 10 tips to secure your web applications:
1. Update your CMS: Ensuring that your software status is up-to-date is important to keep your site secure. This applies to the server operating system as well as any software that may be running on your website, such as forum or CMS. Hackers are quick to find loopholes in the security of a website. You don’t have to worry about applying security updates while using managed hosting solutions, as the hosting company will take care of the operating system.
Security patches should be applied if you are using third-party software on your website. Website security issues are highlighted by most vendors through RSS feed or a mailing list detailing all security concerns. While logging-in, many CMSes such as Umbraco and WordPress, notify you with system updates. You should also keep updating your plugins and modules.
2. Protection against SQL Injection: These attacks are when URL parameter or web form field is used by attackers, to manipulate or gain access to your database. You should be careful while using standard Transact SQL, as it is easy to insert a rogue code that could be used to get information, change tables and delete data. It can be prevented easily by using parameterised queries, which is easily available in most web languages.
4. Client and server side validation: Validation should always be done by both the browser as well as the server. When text is entered into a numbers only field or if the mandatory fields are empty, these failures can be caught by the browser. Even though they can be bypassed, you should make sure that these validations as well as deeper validations are checked from the server side, failing which a scripting code or a malicious code can be inserted into the database, which can cause undesirable results on your website.
5. Check file upload functionality very carefully: Allowing users to upload files on your website can be a big security risk. Any file which is uploaded could contain scripts, that on execution can completely open up your website. With a file upload form, all files need to be treated with great suspicion. If users are allowed to upload images, you cannot rely on the mime type or file extension, to verify that the file is an image. Even opening the file to read the header or checking the image size is not a good idea. Comment sections on image formats could contain PHP code that can be executed by the server.
All this can be prevented by stopping users from being able to execute any file they upload. Files with image extensions will not be executed by default, by the web servers. But it is also not recommended to rely entirely on checking the file extension, as files with name image.jpg.php are common to get through.
The suggested solution for this problem is to prevent direct access to uploaded files. This way, all files uploaded to your website are stored in the database as a blob or are stored in a folder outside of the webroot. You need to create a script, to fetch the files from the private folder and deliver them to the browser, if the files are not directly accessible to you. Your src attribute can point to your file delivery script as image tags support src attributes that are not a direct URL to an image.
6. Use SSL: SSL is a protocol which provides security over the internet. Using security certificate is a good idea whenever personal information is passed between the web server and the website or database. If the communication medium is not secure, attackers can find this information and can use it to gain access to personal data or user accounts.
7. Disable directory listing: Your visitors can find directory listing of all the files, if you create a new folder or directory on your website and do not put an “index.html” file in it. For example, if a folder called “incoming” is created, you will be able to see everything in the directory by simply typing “http://www.example.com/incoming/”. To improve security, you should leave the directory browsing disabled unless there is a particular reason to enable it. If you are enabling directory browsing, you should make sure that you enable it on a specific directory, that you want to share.
8. Brute Force Protection: Brute force attack is a password guessing attack and it is a common threat faced by web developers. In a brute-force attack the password is discovered by systematically trying every combination of numbers, symbols and letters, until the correct combination is found. Websites which require user authentication is an easy target for a brute-force attack. The best way to block a brute-force attack is to simply lock out accounts, after a certain number of incorrect password attempts. These lockouts can last for a certain amount of time, or it can remain locked till it is unlocked by an administrator. But locking accounts is not always a good solution, as constant attacks would mean constantly locking and trying to unlock customer accounts.
Another solution would be to inject random pauses while checking a password, since the success of this attack is dependent on time. Adding pauses for a few seconds will slow a brute-force attack, but it will not affect a legitimate user, if they are trying to log into their account. Locking out the IP address, with multiple failed log-ins, is another solution to this problem.
9. Proper Session Implementation: Session management includes aspects such as managing active sessions and handling user authentication. Even solid authentication mechanisms can be crippled by improper credential management functions, which include password change, remember my password, forget my password, account updates, etc. All account management functions should have re-authentication with valid session id, as “walk by” attacks are frequent. There are stronger methods of authentication available commercially, including hardware and software based cryptographic bio-metrics or tokens, but most web applications find such mechanisms cost prohibitive.
10. Website security tools: Once you have tried everything you can test your website security with tools such as penetration testing or pen testing. Many commercial as well as free products are available for this purpose. They work in the same way as a hacker and test all known exploits, in order to attempt and compromise the security of your website. These tests present a wealth of potential issues which you can work upon to save your site from future attacks.
Most CMSes have inbuilt website security features, but it is good to have knowledge about the most common security issues, to ensure the safety of your website. Hopefully these tips will help in keeping your website and information safe.