Due to the recent spate of website exploitations we have decided to compile a list of the most common website vulnerabilities to look out for, and how we at Wubbleyou provide websites which a protected from them.
One of the most common attack vectors with the most devastating results is SQL injection. SQL injection occurs when a malicious user injects code into your website to modify, steal or even erase information stored in your database. SQL injection is easily avoidable but tends to be overlooked or untested, especially in older websites.
SQL Injection Prevention
There are several proven methods employed to prevent this which we will always employ, but the most basic rule is to trust no data received from any user and properly validate all input.
Cross Site Scripting (XSS)
According to Security firm Semantic, XSS accounted for 80% in website vulnerabilities in 2007. XSS is a method employed by malicious users whereby they inject code into your website to complete a range of actions from stealing your clients log in details, to installing malicious software on your user’s computers. Websites that have been exploited by this can be blacklisted and marked by search engines as unsafe; making it paramount this issue is checked for.
Cross Site Scripting (XSS) Prevention
To prevent this it is also necessary to validate all user input and remove any malicious attempts to exploit a vulnerability. Again all websites created by Wubbleyou are screened and methods are put into place to prevent this.
Email Form Header Injection
This vulnerability is a slightly less known one and sometimes overlooked. This occurs when a malicious user attempted to inject data into your website’s email contact form to force it to email many users instead of you. This is exploited to manipulate your website to send large amounts of spam emails. If this is occurring your email address and server may be blacklisted as a known culprit for sending spam.
Email Form Header Injection Prevention
Again the way to prevent this is to screen user input and remove all malicious attempts at exploiting this.
Malicious File Upload and Execution
This can occur anywhere on your website where you allow users to upload files. If they are successful in uploading a malicious file they will be able to gain full control of your website and most likely full access to your database.
Malicious File Upload and Execution Prevention
It is important to validate the firstly the file name and then the true nature of the file before storing it on your website. For example it is fairly easy to disguise a malicious payload as an image file/word document, upload it to your website and execute it later.
Other important aspects
It is important that any information that you want to show one group of users but hide from another is properly secured. For example it must be ensured that a user is properly validated and cannot spoof their way into a protected area or circumvent the security features completely.
Sometimes a lot of trust is placed on the users in your system/company that you employee to run your website and therefore have escalated privileges. It is paramount that each user has their own log in details and that all actions they cause are logged, making every user accountable for what they have done, especially if it was malicious.
Proper error suppression
All errors triggered by a user causing an action accidently or maliciously should be properly handled so as not to give away any information regarding the inner workings of your system.
How can Wubbleyou help me?
At Wubbleyou we employ a strict set of security policies whilst creating every website to ensure that nothing is left untied which will lead to any of the above. If you already have a website which you suspect could be susceptible to one of the above we can also audit and patch an existing website. If you aren’t sure, get in touch and we can even complete a basic assessment free of charge!
If you store user data is very important that sensitive data is secured (such as personal details and credit card numbers). If you are storing your information in plain text and your system is compromised it can be very embarrassing. For this reason we also provide a service whereby we ensure all the important information in your system is heavily encrypted, taking longer than the age of the universe to crack!
Please feel free to contact us if you have any concerns what so ever.