You’ve spent months building your website and now it’s ready. Great! But wait – have you checked for common security problems that could leave your website vulnerable to a preventable attack? Jason Mayes explains what you should look for before you press the big red ‘launch’ button
Gone are the days when websites consisted of simple pages. People now expect a dynamic and interactive online experience but all this comes with a number of potential security issues.
This article will alert you to some common mistakes.
1. Handle errors gracefully
When a web developer builds a website, they often need to view detailed error messages to work out why things aren’t working as planned.
This is fine on your private development server, but allowing these detailed messages to be displayed on your live website can be a huge security risk. They could give away important information that an attacker could use to break in to your web server.
Make sure you tidy up all error messages before you launch your site. Any errors that may appear should mean something to the people using your website, without giving away any sensitive information. A good book to help you understand how to do this is 'Defensive design for the web'.
2. Use a secure connection to transfer sensitive data
Most people know that when a ‘golden padlock’ appears in their web browser, it indicates that the connection is secure. The secure padlock is generated by a secure sockets layer (SSL) certificate, which you have to install on the server hosting your website. It ensures all traffic sent between your web server and a user’s computer is encrypted to prevent malicious eavesdroppers from reading any sensitive information.
Failure to use SSL could leave you vulnerable to attack and could mean you lose customers due to a lack of trust. People visiting your website over a free wireless network connection is a particular problem - it could be possible for the information being sent across your network to be read as demonstrated by Firesheep.
3. Say no to injections
Most websites (except very basic ones) have a database at their core containing information about the site, such as its content or details of registered users.
‘SQL injection’ is a method used by attackers to add extra code to a database query. This can allow the attacker to access parts of the database you never intended them to see, and thereby compromise your website. SQL injection can happen when the server hosting your website doesn’t properly check information that is passed to it from the outside world.
Guard against this by using ‘prepared statements’, or a suitable alternative, to separate the data users enter from the actual structure of your database query.
On that note, don’t give attackers an easy ride if they do manage to view other fields in your database. For example, never store user passwords in plain text – instead, make sure they are stored as a one way ‘salted hash’ (see right).
A hash takes a string of data (like a password) and converts it into a unique representation of that string, without giving away what the original string was.
It can be very easy to crack strings by pre-computing common words and figuring out their hash in advance.
To make it harder to crack, you add a ’salt’. This is a complex, unique string of characters that you add to any string you wish to hash.
Because the ‘salt’ isn’t based on a dictionary word and only your server knows what it is, it’s much harder to compromise.
4. Watch data outputs
Take steps to protect your website from cross site scripting (also called XSS) attacks. This technique allows attackers to place malicious JavaScript code on your website, which could potentially read data identifying infected page site users. This data could then be used by the attacker to impersonate those users and possibly gain access to their accounts.
Twitter suffered an XSS attack in September 2010. The problem spread like wildfire because messages were automatically posted when users moved their mouse over infected tweets.
Research shows that XSS and SQL injection attacks are on the increase and the attacks are becoming more sophisticated and targeted.
As even the big guys can get this wrong, ask your web developer how they guard against XSS attacks.
5. Trust no-one
Your web server should never trust information sent to it over the internet. So make sure your website runs checks on the server (this is called ‘server side’) to ensure data isn’t malicious. Remember to consider the less-obvious sources of data that are not immediately apparent. These will be the first place a malicious user will try and break in.
These are five of the most common methods used to attack websites. However, there are a number of other devious methods that malicious users may employ, such as cross site request forgery (CSRF) and clickjacking, so it’s important to take a good all-round approach to website security.
After all, your website may be the main way you communicate with your customers. If it fails due to a malicious attack, it can be a costly experience. Even worse, if sensitive data is compromised, both your reputation and business can be irreparably damaged.
When the stakes are so high, always give your web developer time and budget to take proper preventative measures and always keep a safe backup of your entire website. Ensure this is stored away from the server that hosts it – so it cannot be deleted should your web server be compromised.