What Issues do all 87% of websites have?
Every single website is exposed to thousands of threats every day. There is a myth that only large corporation
websites are targeted. This is the opposite of the truth. Yes a hacker or team of hackers will get great enjoyment
out of breaking the defenses on a large entity in the online community but these type of attacks do not benifit
the hackers finacially. It is these low level bots/viruses groups of botnet subscribers that cause hectic troubles for
thousands of small-medium websites in order to make financial gain. They make this gain by using your website as a base, either
for future attacks or manipulating your protected data for its their own use, even if it is just to place unwarrented advertisments on the hosts
website. If you think your website, its user or content is affected by any of the issues below then check your website
Main Website security Issues
Below is the list of fatal errors web developers know well but do not implement either through contract,
neglegence or timelines. For a full list of the website security checks we provide please see
What We Check For seciton.
1. Validation of input and output data
This is the main security flaws of all websites. Which leads to almost all other problems.
All data used by the website (from users, other servers, other websites
and internal systems) must be validated for type (e.g. numeric, date,
string, mix/max etc), length (e.g. 200 characters maximum, or a positive integer) and
syntax (e.g. product codes begin with 2 letters and are followed by 5
digits) an order can contain at most 20 items, daily credit limit must not
be exceeded). All data written as output (displayed) needs to be safe to
view in a browser, email client or other software and the integrity of any
data that is returned must be checked. Utilising Asynchronous JavaScript
and XML (AJAX). A simple miscalculation could allow a threat to literally input itself directly into your database
or file system without the need for a hacker present. The majority of these attacks result in SQL Injection,
this topic is covered in detail due to its relavence and importance in website security.
2. XSS Scripting
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data
from a user. The data is usually gathered in the form of a hyperlink which contains malicious
content within it. The user will most likely click on this link from another website, instant
message, or simply just reading a web board or email message. Usually the attacker will
encode the malicious portion of the link to the site in HEX (or other encoding methods)
so the request is less suspicious looking to the user when clicked on. After the data is
collected by the web application, it creates an output page for the user containing the
malicious data that was originally sent to it, but in a manner to make it appear as valid
content from the website.
3. Direct data access (and theft)
If data exists, it can potentially be viewed or extracted. Avoid storing
data that you do not need on the website and its database(s) – for
example some data relating to payment cards should never be stored(this is prohibited by law). But you should threat all
data that is not relavent in your website in the same manner. We have 32 security checks for direct data access.
Poorly developed systems may allow access to data through SQL Injection or poor system security.
4. Malicious file execution
Uploaded files or other data feeds may be malicious in nature and trigger a chain of events which
cripple the security of your internal system. Never
allow user-supplied input to be used in any file name or path (e.g. URLs or
file system references). Uploaded files may also contain a malicious
payload so should not be stored in web accessible locations. Careful thought must be used when accepting files. Our system will attempt to
execute non-malicious files on your system which will results in the non-destructive results in your scan.
5. Authentication and session management
Websites rely on identifying users to provide access permissions to data
and functions, this is the same for eCommerce website right down to a simple email subscription service.
These systems all record and grant access to content/data depending on the user accounts permissions. This data must be kept
encyrpted throughout each session and not cached for other webusers to see and exploit. We provide and manual check by one of our
technician for these tasks.
6. System architecture and configuration
The information system architecture model should address the sensitivity
of data identified during the requirements and specification phase of a
website project. This may entail having separate web, application and
database servers or involve clustering, load balancing or virtualisation.
Additional security issues can be created through the way the live
environment is configured. Sufficient and safe logging, monitoring and
alerting facilities need to be built in to allow audit.
7. Phishing
Phishing, where users are conned into believing some other entity is or
belongs to your own organisation (email messages and websites are the
most common combination), is best tackled through educating your users and using a consistant
look and feel to the website and especially login/input pages. If the webpage is secured with a SSL(https://) then
be sure to notify the user that this webpage such be placed on a https://, if not the user will be aware that
this website most likely does not belong to your organisation and will exit immediately.
8. Error handling
Relating to point 1 above. If there are validation in place on the web-page then if there is invalid data inserted
by the user(or in this case a hacker or bot) then a human readable error/warning should arise stating the issue and
how is can be resolved. If this error handling is not in place then the hacker or bot will have a loop hole into
your system. Error handling is different depending on the computer language the website is running under ASP.NET, PHP etc
9. SQL Injection
See SQL Injection.
These are the main areas that affect most websites. Any of these issues can cause the the downfall of any
internet business or agency. Sometimes the cost of rebuilding is in the thousands, sometimes because of
data theft, data deletion or reputation damage there is no come back. Check your website