Web site security
By Jon Fletcher - Managing Director
There’s a certain separation in most people’s minds between the techno-romantic pastime of hacking and that of web site security. These web savvy, modern day Robin Hoods with their quirky but engaging need to uncover NASA’s secret alien files seem harmless and intriguing subjects for BBC documentaries, not a threat to your bottom line. The reality is, of course, a little less quirky and a lot more costly with even ‘benign’ attacks on your system ending up costing you dearly in time and money. Don’t assume that just because your business is about as controversial as a modern spade design conference you are immune to the attention of our IT-literate hacker friends. If you have an audience they can hijack, you are a target!
You will almost certainly have firewalls and network security systems in place (if not come back to this later, you’ve more important things to be doing) but what of your web site itself? If you have a purely static web site (a site where the pages end with .htm or .html) then there isn’t an issue and nothing much a hacker can do to get in. If, however, your web presence is, or contains, a web application then security may be an issue. This can become somewhat technical but stick with it, it’s worth it…
Here are some common vulnerabilities that can be exploited:
SQL Injection
Hackers will attempt to send information to your server that manipulates communications with the database. This is surprisingly easy to do if you know how, and the results can be devastating.
Cross site scripting
Sometimes a site will take information from a user and display it back to them. This can be as simple as displaying their username, or returning a form containing information they have previously filled in. If this information is not first cleaned by the software, it can be possible for hackers to insert small scripts into the page. For instance, an attacker could email you a manipulated link. When you click on this link, it could embed a script within your web site that informs the attacker of your cookie information allowing them access to the site through your user account.
File upload attacks
Sites that allow file uploads can include all sorts of bugs that allow hackers to attack the site. Sometimes files are uploaded into the web site space, rather than to a secure folder. In the worst cases, it is sometimes possible to upload scripts into the web space allowing the attacker complete access to the site and database with no restrictions.
File include attacks
Some sites include files from other areas to display content. Sometimes it is possible to use these sites to retrieve other files, for instance configuration files containing database access information and private users’ files.
Unprotected admin pages
Sometimes a password-protected area on a site may not be completely secure. We have seen admin areas where a page or two have been missed from the secure area. Initially, you need to log in, but there may be pages within the protected areas that are not secured. By guessing the filenames, which often follow a predictable formula, it can be possible to gain access to private areas without a password.
Password forcing
One of the easiest ways of getting access to a system is to simply guess the password. This sounds near impossible, but hackers will write scripts to try every word in the dictionary until it finds one that works.
Naturally all of the applications that we develop are secure against all of these exploits, and any others we are aware of but the point of this article is.. ‘are yours?’
Can we help?
