If you are like most small business website owners, website security risks are not typically going to be top of mind. Most of us tend to think of hackers and hacking into websites as something we see in a movie or which is really only of concern to governments and large corporations.
Yet the truth is that if you operate a website, there’s a very good chance your site has security vulnerabilities that may be exploitable by a hacker. Website security risks are rarely if ever considered by the typical website designer, many of whom carry out their design work using automated tools and applications which require little intimate knowledge of coding and even less knowledge about how to ensure your site is secure.
Since 2002, the Open Web Application Security Project (OWASP) has been publishing its annual top 10 reasons why websites get hacked. Following are the highlights of the Open Web Application Security Project Top 10 for 2010.
The top website security risks and vulnerabilities are injection flaws, particularly SQL injection flaws. According to OWASP, “Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query”.
By employing injections, a hacker can trick your web application into executing unintended commands or accessing unauthorized data. A successful injection can result in a hacker gaining access to and changing, corrupting or deleting your data, denial of access, or even sometimes lead to complete host takeover.
The reason injections are considered the top risk is because once identified, they are very easily exploitable by a hacker.
While injections are identified as the top risk, by far the most prevalent of website security risks is cross site scripting.
“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping.” Cross site scripting can allow hackers to execute scripts in the victim’s browser which can then allow them to hijack user sessions, deface your web site, or redirect your user to another (malicious) web site.
Authentication and session management functions are often not implemented correctly, which allows a hacker to compromise passwords, keys, session tokens, or exploit other website implementation flaws to assume a real website user’s identity.
Where present, authentication and session management flaws may put all accounts at risk of an attack. Once successful, the hacker can do anything the victim has authorization to do view or do.
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without a proper access control check or other protection, hackers can find and manipulate these references to access unauthorized data.
“A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application.” This allows the hacker to force the victim’s browser to generate requests your website application believes are legitimate requests from the victim.
Security misconfigurations often occur beyond simply your website application. “Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.”
Indeed many of these misconfigurations may not even be things you have direct control over; for example, they are risks arising from your website hosting configuration.
According to OWASP, “Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.”
This is another often insidious website security risk that goes unnoticed. “Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.”
“Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.”
The last of the top 10 website security risks (but by no means the last of the security vulnerabilities that may be present on your website) are unvalidated redirects and page forwards.
“Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.”
Automated scanning and detection tools can be used to detect a good number of the above web security risks, but it is important to note that no detection software is infallible. For example, the best way to check for injection vulnerabilities is to perform a complete code review, since automated detectors will not always catch them. Some XSS vulnerabilities can be caught using detection tools, but complete coverage requires a combination of manual code review and manual penetration testing, in addition to the use of automated detection.
On the other hand, something like an insecure direct object reference is seldom detected using automated tools because they cannot recognize what requires protection or what is safe or unsafe.
Ultimately, while there are a number of safeguard practices that can be put into place, often times you won’t know about your website security risks until you’ve been hacked.
That’s where taking advantage of a website security vulnerability/exploit scanning service can help you. Depending on the service, they will literally attempt to hack into your site systematically the way a real hacker would … with the same tools and approach used by the typical hacker.
As a result, you are able to identify vulnerabilities in at least 8 out to the 10 top categories identified by OWASP through a combination of automated detection tools and systematic manual site review. (The key exception is #5, cross site request forgery, which such a service will not typically be able to detect.)
All vulnerabilities identified should be documented in your website security risks report provided to you, so that you can get your IT support team focused on making your website more secure.