Header Ads

Tricksgum - Latest Hacking News, Free Internet Data, Software and Cyber Security Courses For Hackers. Please Don't Forget to like our Facebook Page @tricksgum......and......Follow our Twitter Page @tricksgum

How to protect website from hackers

How to protect website from hackers

Protecting Websites From Hackers

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary webserver, normally to serve files of an illegal nature.

1. Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. If you are using a managed hosting solution, then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take of this. If you are using a third-party software on your website such as CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco and many other CMS’s notify you of available system updates when you log in. 

2. SQL Injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your databases. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries, most web languages have this feature and it is easy to implement. Consider this query:
\ESELECT * FROM table WHERE column = ‘\parameter \’;\
If an attacker changed the URL parameter to pass in ‘or ‘1’ = ‘1’ this will cause the query to look like this:
\ESELECT * FROM table WHERE column = ‘’ OR ‘1’ = ‘1’;\
Since ‘1’ is equal to ‘1’, this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed. 

3. XSS

Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML. 

4. Error Messages

Be careful with how much information you give away in your error messages. For example, if you have a login form on your website, you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect Username and password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are incorrect then the attacker knows he has one of the fields and can concentrate on the other field. Keep your error messages Vague. 

5. Server side Validation/ form validation

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website. 

6. Website security tools

Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.
There are many commercial and free products to assist you with this. They work on a similar basis to script hackers will use in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL Injection.
Some free tools that are worth looking at:
·        Netsparker (Free community edition and trial version available). Good for testing SQL injection and XSS.
·        OpenVAS. Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities.

No comments:

Powered by Blogger.