• About Us
    • New York
  • Work
  • Capabilities
  • Careers
  • Technology
  • Blog
  • Contact Us
  • About Us
    • New York
  • Work
  • Capabilities
  • Careers
  • Technology
  • Blog
  • Contact Us
April 29, 2015

5 Common Website Security Vulnerabilities

Posted by Emily Fox

Whether you’re a developer, website owner, or user, you should be aware of Website Security and Security Issues. Unfortunately, websites are prone to security risks and there is no such thing as a 100% secure site, with new vulnerabilities found all the time. Here are a five common website security vulnerabilities, and tips on how they can be prevented.

  1. Cross-site Scripting / XSS

    What it is: Cross-site Scripting, or XSS, is when an attacker tries to inject code, commonly JavaScript, into a website. The malicious code is then run to attack your site by gaining access or gathering secure information from visitors on your website.
    You should: Ensure information being passed around on your website is validated and escaped. Escaping tells the browser that what you’re sending it should be interpreted and treated as data rather than anything else, this is done by stripping out any HTML or escaping any special characters. A lot of frameworks have this functionality built in, so ensure you’re utilizing it!

  2. SQL Injection / SQLi

    What it is: This is a code injection technique which allows hackers to insert malicious SQL statements. It can typically be exploited through forms, where the form input data is not filtered or validated. It allows hackers to expose data or bypass access mechanisms.
    You should: Use prepared statements which many languages offer, such as the PHP PDO class. This allows you to define sections of a query so no other information or actions are accepted and injected into your database. Validating information you’re getting from a form as soon as you get it will also help against this.

  3. Cross-site Request Forgery / CSRF

    What it is: CSRF is when a site is exploited using malicious code from another site. For example, if a user is logged into their bank account and, while still logged in, they start browsing the internet and click a link to a site that has malicious code, that site sends a request to the bank website and executes unwanted actions. Of course we expect our bank to have a lot of security on their site; however, any site with sensitive information, such as user information, needs to be protected.
    You should: Use tokens, or hidden input fields on forms with random encrypted strings to help prevent this. As a user, you can prevent this yourself by logging out of websites once you’ve finished using them and being conscious of the websites you’re visiting.

  4. Authentication and Authorization

    What it is: Sites often lock down information that is only visible to logged in users or specific membership levels. Unless it is locked down correctly, it may still be accessible by people who don’t have the correct permissions to access the page, information, or downloadable documents. We often lock down areas as they contain functionality or information we don’t want shared, if these areas are accessible without the correct authentication and authorization steps, this information can be taken or the unauthorized access could be used in a malicious way.
    You should: Validate the actions of users, ensure they are only accessing areas and files they’re allowed to. Ensure any uploads are the expected filetypes, by looking at more than just the given extension. Also avoid storing information on your site or in your database that would allow a hacker to gain access to a users personal information, such as storing or allowing for password hints.

  5. Using Known Vulnerable Components

    What it is: Software is continuously updated to not only improve functionality, but also to fix any bugs or vulnerabilities. If you’re still using an older version of software, known vulnerabilities can be exploited very easily as this information is often published online and in updated documentation. When a vulnerability becomes known, hackers are quick to try and exploit them.
    You should: Ensure you keep all software up to date, whether it is a site like WordPress and any plugins you have installed, or the server hosting your website (hosting providers should take care of this).

There are several prevention methods that can be implemented by a website developer to protect your site, and even more resources documenting these online. For more information about online security and additional vulnerabilities you can visit oWasp.

– Emily Fox

CSRFsecuritysql injection
Previous
Next

Latest White Papers

  • Shifting Plans for 2020 & Beyond
  • Game On: How Brands Can Log Into A Diverse Multi-Billion Dollar Industry
  • What CCPA Means For Brands
  • How Google is Improving Consumer Data Privacy
  • Ways to Prepare for the Cookieless Future
  • See all White Papers

Featured Posts

  • Ad Age Names PMG #1 Best Place to Work in 2021
  • Hindsight 2020 & Looking Ahead to 2021
  • Preparing for Streaming’s Growth & The Future of TV Buying
  • MediaPost Names PMG Independent Agency of the Year
  • PMG Client Portfolio Trends During Amazon Prime Day 2020

Categories

  • Consumer Insights
  • Content
  • Creative Design
  • Data Analytics
  • Development
  • Digital TV & Video
  • Ecommerce
  • Industry News
  • Local
  • Mobile
  • Paid Search
  • PMG Culture
  • Programmatic & Display
  • SEO
  • Social Media
  • Structured Data
Fort Worth

2845 West 7th Street
Fort Worth, TX 76107

Dallas

3102 Oak Lawn Avenue
Suite 650
Dallas, TX 75219

Austin

823 Congress Avenue
Suite 800
Austin, TX 78701

London

33 Broadwick Street
London
W1F 0DQ

New York

120 East 23rd Street
New York, NY 10010

Get in touch

(817) 420 9970
info@pmg.com

Subscribe to the PMG Newsletter
© 2021 PMG Worldwide, LLC, All Rights Reserved
  • Contact
  • Privacy Policy
 Tweet
 Share
 Tweet
 Share
 Tweet
 Share
 LinkedIn
We and our partners use cookies to personalize content, analyze traffic, and deliver ads. By using our website, you agree to the use of cookies as described in our Cookie Policy.