Any flaw in a website that can be exploited by a hacker is called website vulnerabilities. No doubt, a website uses many security systems for protecting itself from cyber threats. However, many times a hacker still manages to find a security breach to penetrate your website.
Here are some common website vulnerabilities which can lend a helping hand to hackers:
SQL Injection:
It is a kind of code injection attacks. The hacker in a code injection attack inserts a piece of code in a computer program. The execution of the infected program provides him with the access of the computer program or application. As the database of a website contains sensitive information about customers, clients or other users of a web application, in order to walk off with that confidential information, an attacker attempts to gain the access of database using SQL injection.
Broken authentication andsession management:
Incorrect implementation of functionality related to session management and authentication can result in these type of website vulnerabilities. Exploiting this vulnerability, an attacker can thieve session IDs or passwords. The attacker can be an external agent or an authorized user. Both external and internal agents use thieved username and password for posing as an authorized user to access something they are not authorized to access. This vulnerability can exist in a website due to incorrectly built custom authentication and session management schemes by developers. It is important to develop custom authentication and session management schemes correctly and carefully to foil broken authentication and session management. Using complex passwords, limiting the number of login attempts at one time, strengthening password controls, storing passwords in encrypted form, protecting session IDs and there are several other preventive measures which can protect your website from this vulnerability.
Cross Site Scripting (XSS):
Like SQL injection, it is another kind of code injection attack. Basically the malicious code is injected in a website and is executed in a browser. Website using user’s input within output without any validation and encryption are always prone to XSS. In this attack, the browser is targeted indirectly. When the victim visits the infected page , the malicious JavaScript code is delivered to the browser. Once this malicious code is executed, the attacker can access objects like cookies. As session tokens are stored in cookies, the attacker can obtain username and password of the user, steal other data stored in the browser, and even control the browser remotely. For avoiding this type of attack, output based on the input parameters should be encoded, input parameters and output based on input parameters should be filtered for special characters.
Insecure direct object reference:
A website becomes vulnerable to insecure direct object reference when a reference to an internal object. Developers need to pay extra attention as they are often responsible for exposing it. This internal object can be a file, directory, database records and database keys. Attacker exploiting this vulnerability is an authorized user having limited privileges. By changing parameter value directly referring to that object, the user can gain access the object. Most of the times, web applications do not check if the user has the authorization to access that object. Therefore, it is important to enforce access policies to make sure that the user has permission for accessing that object. Proper testing and code analysis is helpful in identifying these flaws in a web application.
Wrong Security Configuration:
Insecure configuration can be a component of a web application and can invite great security threats. An attacker can easily enjoy the privileges of the admin if you stick with the default configurations like using default username and password. Unnecessarily enabled services, scripts, configuration files, sample files etc. can result in misconfiguration at web server, platform, database, application server and other levels of the application stack. Both developers and administrators have to play their parts to ensure the secured configuration of a web application. Users can deploy automatic scanner to detect security holes due to insecure configuration. While developing a website, developers should implement an encryption algorithm to encrypt sensitive data. Moreover, it is essential to conceal track tracers from users. An administrator should avoid usage of default username, password and other default settings.
Cross Site Request Forgery (CSRF):
In this kind of attack, the attacker tricks an authorized user of a website to perform an unwanted action like change password, transfer funds etc and the victim does not even know. In this attack, the authorized user unknowingly sends a malicious request to a trusted website. Consider following example:
- An authorized user logs into a website (say MyBank.com) offering online banking services.
- Now the attacker tricks the user to visit a malicious website.
- The malicious website will send a request to MyBank.com using the victim’s browser. As the user is already active into the MyBank.com, the attacker can perform any transaction by impersonating as the victim.
Including a token in user’s current session is the best preventive measure against CSRF. The system generates a token while creating a user’s session. Furthermore, the system appends the same token with every request sent during that session. After that, the server uses it to make sure that the request is a legitimate request. A token is a long value not easy to guess. However, for additional safety a user should:
- Do not visit any unauthorized websites while being active into a banking or other similar website.
- After the completion of a job, always logout.
- Never save login credentials.
Remote Code Execution:
In remote code execution, an attacker exploits a server vulnerability to execute system level code in the server. By executing this code, the attacker can retrieve or alter the information stored in the server. Most of the times these vulnerabilities exist in the server due to coding errors. It is important to fix all security holes in the server to protect it from remote code execution vulnerability.
Username Enumeration:
This vulnerability exists in applications displaying an error message to tell if the username is valid or not. This helps an attacker in identifying a valid username after log in attempts with different usernames. Moreover, developers always create trivial accounts for testing purpose. Some of the most common username/password combinations developers use are Admin/admin, test/test, etc. However, they often forget to delete these accounts which can be used by attackers.
Apart from the login page, the attacker can also make attempts on registration, change password and forget password page. First of all, you need to delete all these guessable username/password combinations. Consider a login page; an application instead of displaying “username does not exist” and “wrong password”, should display “wrong username/password combination” error. Now, the attacker can never know if the entered username is valid or invalid. Similarly on registration, forget password, and change password, an error message should not reveal a valid username or email address.
Conclusion
Regular updates, tightened access control, network security, installing firewall and security applications, deploying SSL are several ways to protect a website.