Whether you’re a developer, website owner, or user, you should be aware of Website Security and Security Issues. Unfortunately, websites are prone to security risks and there is no such thing as a 100% secure site, with new vulnerabilities found all the time. Here are a five common website security vulnerabilities, and tips on how they can be prevented.
-
Cross-site Scripting / XSS
What it is: Cross-site Scripting, or XSS, is when an attacker tries to inject code, commonly JavaScript, into a website. The malicious code is then run to attack your site by gaining access or gathering secure information from visitors on your website.
You should: Ensure information being passed around on your website is validated and escaped. Escaping tells the browser that what you’re sending it should be interpreted and treated as data rather than anything else, this is done by stripping out any HTML or escaping any special characters. A lot of frameworks have this functionality built in, so ensure you’re utilizing it! -
SQL Injection / SQLi
What it is: This is a code injection technique which allows hackers to insert malicious SQL statements. It can typically be exploited through forms, where the form input data is not filtered or validated. It allows hackers to expose data or bypass access mechanisms.
You should: Use prepared statements which many languages offer, such as the PHP PDO class. This allows you to define sections of a query so no other information or actions are accepted and injected into your database. Validating information you’re getting from a form as soon as you get it will also help against this. -
Cross-site Request Forgery / CSRF
What it is: CSRF is when a site is exploited using malicious code from another site. For example, if a user is logged into their bank account and, while still logged in, they start browsing the internet and click a link to a site that has malicious code, that site sends a request to the bank website and executes unwanted actions. Of course we expect our bank to have a lot of security on their site; however, any site with sensitive information, such as user information, needs to be protected.
You should: Use tokens, or hidden input fields on forms with random encrypted strings to help prevent this. As a user, you can prevent this yourself by logging out of websites once you’ve finished using them and being conscious of the websites you’re visiting. -
Authentication and Authorization
What it is: Sites often lock down information that is only visible to logged in users or specific membership levels. Unless it is locked down correctly, it may still be accessible by people who don’t have the correct permissions to access the page, information, or downloadable documents. We often lock down areas as they contain functionality or information we don’t want shared, if these areas are accessible without the correct authentication and authorization steps, this information can be taken or the unauthorized access could be used in a malicious way.
You should: Validate the actions of users, ensure they are only accessing areas and files they’re allowed to. Ensure any uploads are the expected filetypes, by looking at more than just the given extension. Also avoid storing information on your site or in your database that would allow a hacker to gain access to a users personal information, such as storing or allowing for password hints. -
Using Known Vulnerable Components
What it is: Software is continuously updated to not only improve functionality, but also to fix any bugs or vulnerabilities. If you’re still using an older version of software, known vulnerabilities can be exploited very easily as this information is often published online and in updated documentation. When a vulnerability becomes known, hackers are quick to try and exploit them.
You should: Ensure you keep all software up to date, whether it is a site like WordPress and any plugins you have installed, or the server hosting your website (hosting providers should take care of this).
There are several prevention methods that can be implemented by a website developer to protect your site, and even more resources documenting these online. For more information about online security and additional vulnerabilities you can visit oWasp.
– Emily Fox
