Posts

Boy Programming On Computer With Multiple Monitors And Laptop On Desk

7 Ways to Expose Your Website to Hackers

So you want to serve up your website for any hacker to break into. Sure, weirdo…who am I to judge?

Here are 7 things you should not do unless you want your website hacked:

Once again, if you’re a sensible human being you really should never find yourself doing any of these things.

1. Ignore Security Updates

They may be a nuisance, but updates patch up newly discovered bugs in software. Not installing updates and patches makes it a lot easier for hackers to compromise your device or web app. If you want your website hacked, ignore all security patches, plugin updates, and updates for CMS services such as WordPress or Drupal.

2. Use as Many Different Features and Plugins On Your Site As Possible

Plugins introduce many new potential vulnerabilities to your website, similar to how adding more windows makes your submarine less seaworthy. Be sure to load up on file uploaders, video players, ad managers, analytics, and whatever else you can cram in, even if you don’t need any of it.

3. Set a Really Dumb Password

Setting your password as something easy like “123456,” the always-clever “password,” or matching your password to your username saves hackers a lot of time. You can also help by using the same password for your computer, e-mail, FTP access, and Ashley Madison account, so that once one is compromised, all of them exposed.

setting a password to protect website security

4. Mismanage Your Website and Its Contributors

Just let security be someone else’s job, and don’t take any notice. Be sure to give your employees or contributors full admin access to your website, and make sure not to update your passwords after they leave. Sooner or later, something bad will happen.

5. Don’t Put Together a Security Incident Response Plan

No need to prepare for the worst when you’re counting on it. What if your site gets disabled, or deleted, or information is leaked? How do you detect it, how do you respond, and how do you disclose it? Those are questions that should be considered by anyone who doesn’t want to get hacked.

6. Don’t Bother Securing Your Domain With SSL

SSL encrypts communication between a website’s server and a user’s browser, especially useful in protecting online transactions and payments. But it thwarts man-in-the-middle attacks in which a hacker gets between server and browser and can monitor or alter communication. So if you want to endanger your customers’ privacy, forget about HTTPS — HTTP is the way to go!

7. Don’t Use a Web Application Firewall

A web application firewall can protect your site against the worst online threats, including DDoS attack, SQL injection, and cross-site scripting (XSS), so if you want to make it easier for hackers to overrun your website, the last thing you should do is secure it with a web app firewall like Cloudbric, Imperva, or Cloudflare.


 

This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

ddos attack net of thieves over a computer desk

XSS: The Con-Artist

“XSS” is an acronym you hear often in the field of information security. It’s a relatively common attack for both the client and the server. Acronyms can make you think that it’s a bit more hi-tech and complicated than it really is. But at the root of it, XSS is basically a con-artist, waiting for his next ploy.

What is XSS?

Short for Cross Site Scripting, this web vulnerability is a type of injection where the attacker inserts script (oftentimes JavaScript) into a page. The script is not sanitized and allowed to remain in the browser – meaning the script can execute as if the administrator had written it.

There could be a variety of consequences: It could alter the display, modify the browser, or even steal your session cookie and sign in as an administrator, which could give complete control over to a hacker.

But I use the word “could” because there’s a lot of variety and uncertainty when it comes to the XSS vulnerability: what the consequences can be, when they can happen, and to what extent they reach. So let’s make it a bit easier to process.

Think of the XSS vulnerability as a con artist’s latest trick. You never go out looking for a con-artist, but some way or another, they get you right where they want you.

Non-Persistent XSS: the Pickpocket Scam

Pickpocketing is the oldest trick in the book, proven to work time and time again. It’s become a common and simple way for attackers to get their target. The pickpocket may approach you as the “nice stranger” who’s asking for directions on the street. But their hand reaches to take your wallet from your pocket while you’re explaining directions. Though the pickpocket targeted you, when the ordeal is done and your money is gone, it’s as if it never happened.

non-persistent xss chart

It’s the same with Non-Persistent XSS, the most common type of XSS. An attacker will inject script that’s targeted and contains malicious script. You click it, and fall for the trap. But just like with a pickpocket, when the code is injected and you have been fooled, none of what happened goes to the server. The website will simply execute the script and reflect it back to your browser, and the cookies will go to the attacker. Immediacy and the lack of detectability are the highlights of these non-persistent XSS attacks.

Persistent XSS: The ATM Skimmer

On the other side, Persistent XSS is much less common. While it has the potential of causing more significant damage, it can also be found out and remedied quicker. Think of an ATM skimmer. A skimmer is an electronic device that is placed within or outside an ATM. It takes the information that a customer may put into the ATM. The difference? While the skimmer may look the same as the ATM that the customer uses on a daily basis, it is copying all information and relaying it to the con-artist. It’s non-targeted, so everyone who uses the ATM will be affected without discrimination.

Like the ATM skimmer, the website may look the same as it usually does after the malicious script has been injected. It is saved by the server and then displayed on normal pages. All users who are browsing the website will be subject to the XSS. It will be affected over and over again.  In fact, this is why this type of XSS vulnerability is much more dangerous. Damage can be done to a wider breadth of users without anyone knowing that there is anything amiss.
PERSISTENT xss

Fortunately, because this type of XSS takes place on a server – if someone is able to spot the unwelcome script, it can be remedied. In the case of the skimmer, perhaps the ATM maintenance crew notices that there is a bar code missing, or a warranty seal that’s in the wrong place. They can take quick and urgent steps to make sure that the skimmer is removed.

XSS Exploits in Real Life

XSS-affected websites can suffer from a variety of issues. Unfortunately, websites with a large number of active users are often affected through both persistent and non-persistent XSS. Recently, a Persistent XSS vulnerability was found on PayPal’s website. This would have allowed for hackers to inject code resulting in a malicious payload, potentially opening up attacks for its 150 million customers. Thankfully, the company was notified of the vulnerability before any negative impact. But of course, there are companies that aren’t so lucky.

Hackers will always find popular websites, big or small, to execute their attacks, so what can you do to protect your website?

  • Source Code Analysis: Source code analysis tools are used to find security flaws by going through source code line by line. Ideally, this tool will be used before the website goes live. This way, problems can be re-mediated before any issues arise.
  • Vulnerability Scanners: There are security scanners that will identify vulnerabilities like XSS. Although they’re not perfect (because they’re not optimized for your website or application specifically), they can allow you to find the most obvious vulnerabilities to clean up.
  • Web Application Firewall: Web Application Firewalls or WAFs follow rule-sets to detect or block anything suspicious. WAFs will normally prevent attacks such as XSS and SQLi as part of their rule-set. Make sure that your WAF is one that has low false positive rates. That’s it! You’re well on your way to having a safer, cleaner website.

Which method is the most effective? As I always say, there’s no perfect way to escape any form of web attack. But the best thing you can do is follow the points above like a process. Source code analysis tools will scan for flaws before anything goes live. Vulnerability scanners will then look for further issues as the website is up. A WAF will block the attempts that manage to slip through the cracks. Unfortunately, nothing is foolproof. But risk can always be reduced and controlled.