A website is a vital part of any modern business. It acts as the shop window for everything an organization does, simultaneously providing functionality, a marketing platform, and the primary method of contact and communication.
However, websites also represent a vulnerability for any enterprise, with a surprisingly large attack surface, and the potential to act as a backdoor into other parts of your company.
For hackers, cyber criminals, and bad actors online, an organization’s website is a target full of potential. On average, websites are attacked 22 times every single day, which adds up to a staggering 8,000 attempted breaches every year. This makes your website one of the biggest potential entry points to your business for bad actors, and means that protecting your website is one of the most important things to do.
What are website vulnerabilities?
The first step towards preventing hackers from exploiting vulnerabilities in your organization’s website is to understand what a website vulnerability actually is.
A website vulnerability is a specific point in a website’s design or configuration that is vulnerable to attack or breach. It could be a weakness in the fundamental design, or a misconfiguration in the base code. A vulnerability provides an access point for cyber criminals to take over functionality and take partial control of your website or even your server.
Most website vulnerabilities are taken advantage of using automated tools and software; programs that are designed to search the internet for particular hosting platforms that have common, easy to exploit vulnerabilities.
Once these bots discover a potential vulnerability, hackers can attempt to use it to breach a website’s security defences and steal data, take control of the website or the servers, distribute unwanted content, or spam the organization and its contacts.
What are the most common types of website vulnerabilities?
An injection flaw is a failure to apply proper filters to incoming data from unverified or untrusted sources. This usually happens when data is passed via SQL injection to the SQL server, via LDAP injection to the LDAP server, or to the browser. Data from untrusted sources should always be properly filtered and checked to avoid accepting malicious software, which can inject errors or bad commands into these servers.
Luckily, preventing this type of vulnerability is not hard – all it requires is applying the correct filters and using a whitelist to check all untrusted sources. However, the range of ‘untrusted’ sources in this case is extremely wide, and every input must be properly filtered.
Broken authentication vulnerabilities cover a range of potential issues that can happen due to a broken authentication process. These issues can include URLs leaking the session id in the referrer header, unencrypted passwords both being stored and being transited, easy-to-guess session ids that are simple to hack, the potential for both session fixation AND session hijacking, and HTTPs without SSL security.
Most of these authentication issues occur because organizations attempt to use their own authentication codes, which these days is a dreadful idea full of potential problems. The best way to deal with these issues is to use a framework, which should avoid most of the vulnerabilities that can come from poorly implemented code.
Cross Site Scripting (XSS)
Again, the solution is quite simple – don’t allow HTML tags to be returned to the client. This not only protects against XSS vulnerabilities, but also against HTML injection attacks, which work in a similar way but with plain HTML content.
Insecure Direct Object References
This vulnerability is caused by the simple action of believing what you are receiving from a known user is genuine, and paying the price for trust and naivety. Direct object references are when internal objects like files are exposed to the user. If these files are untrustworthy or unauthorized, an attacker can get direct access to the system and take control of areas that they should not have access to.
An example: your website code has a download.php module that allows users to download files. If your web developer has forgotten or omitted to include authorization in the code when it generates the file name, a hacker can use the unprotected code to download any of the system files that the user running this code is allowed to access. This might be archived files or data backups on the server, or even the web application code itself. Another example would be a functionality that allows a password reset – if authorization is not required hackers can simply modify the valid, user-input URL with something along the lines of ‘admin’ and gain access to far greater permissions in the website back end.
Dealing with insecure direct object references is as simple as applying proper user authorization across the board, or by storing data centrally and not using CGI parameters to pass it along to users.
Misconfiguration of security protocols is sadly extremely common, probably because of the remarkable range of ways that one can commit configuration errors! Common configuration issues include running the website application with debug enabled in production, enabling a directory listing on the server which allows access to privileged data, lack of updates and running out-of-date software and plugins, insecure or unchanged passwords, and revealing stack traces or other methods of handling errors to bad actors.
Preventing security misconfiguration is tricky, because the people you will be relying on to mitigate vulnerabilities will likely be the ones who misconfigured the protocols in the first place! However, there are a few things that can help, like using automated ‘build-and-deploy’ processes, testing the deployment of security protocols, and even things like post-commit hooks that stop websites from going out with default keys and factory settings built in.
Sensitive data exposure
Plenty of businesses deal with sensitive data, from financial information and email addresses to log-in details and passwords. It is vitally important to be aware of any and all sensitive data that you manage and/or store, as any data that is stored is potentially at risk.
The ideal for any website is not to store sensitive data at all. All data processed should be encrypted, both in transit and at rest. Financial information (credit card details, crypto, etc) should never be stored unencrypted, and passwords should always be hashed.
When data is in transit, it should travel with HTTPS with a valid certificate and Perfect Forward Secrecy. When storing data your first step should be to store nothing that is not essential. Storing credit card information is a hassle anyway, as it means you will have to be PCI-compliant, so avoiding this is helpful. Encrypt all stored data, and keep the keys separate from the encrypted data!
Missing function level access control
One of the simpler vulnerabilities, missing function level access control is a basic failure of authorization. This particular vulnerability occurs when the server calls for a function, and the correct authorization protocol does not happen. This might be because web developers often assume that functionality that is not provided by the server is hidden from the user, but hackers can duplicate and fake requests that allow them to access these functions. As a result, authorization is always necessary on the server side, regardless of the situation.
Cross Site Request Forgery (CSRF)
A cross site request forgery is when hackers trick your browser into doing something it otherwise wouldn’t, otherwise known as a confused deputy attack. Using a third party site, bad actors can manipulate your website into using its own admin privileges and permissions to do whatever the hacker wants it to do. This often comes about when you have multiple tabs open – one tab could force your browser to use its credentials to affect another, separate tab that you have open in the same browser.
Because the attack comes from one place but can gain access to somewhere completely different, guarding against CSRFs can be tricky. The best way to do it is to store a secret token in a hidden form field which always requires verification but which third party sites are unable to access.
Using components with known vulnerabilities
One of the most self-explanatory vulnerabilities in a website, and more of an issue for ongoing maintenance or initial deployment. If you are using components that have pre-existing vulnerabilities or known weak points, then you are opening yourself up for a breach. While convenience might suggest you use unverified code or components from unknown sources, it brings with it extreme risk.
So, before integrating any new components into your website code, do your research. Find out if the plugin you want to use has been discussed, and ensure anything that needs patching is patched. Essentially, the software development phase of your website build does not end with deployment. Every time you add new components or update your website, you must carry out due diligence. Be cautious about components, don’t copy-paste, and keep everything up to date.
Unvalidated redirects and forwards
Unvalidated redirects and forwards occur when your input filters aren’t working properly. Hackers can manipulate seemingly safe URLs to redirect you to a malicious site and install malware. Users will see links that look safe, which instead take you to an unsafe destination, delete your profile, or carry out unwanted actions.
This can be prevented by not allowing redirects at all, as they are rarely required. You can also keep a static safe list of valid redirect locations, or whitelist the user-defined parameter.
What are the main dangers of website cyber attacks?
Website cyber attacks present two main dangers. The first is obvious – your website could be compromised by bad actors. This presents a range of issues, as you might lose access to your website, fall victim to data theft, or be used as the vector for onward phishing or ransomware attacks. If your website is hacked you may lose functionality, which could have a huge impact on revenue, and you may also lose your main avenue of communication.
However, the most damaging potential issue that can arise from a website cyber attack goes beyond the website itself. Websites are usually repositories of all sorts of privileged information, from user credentials and privileged information to sensitive organizational data. Once hackers have access to a website, they can even extend their reach, breaking down the doors between your site and the rest of your business, attacking the whole organization, and gaining all the keys to the chest. This sort of knock-on effect can be catastrophic. A website attack can critically harm trust in your organization as well as potentially shutting down your entire business.
How can you mitigate and prevent vulnerabilities?
As well as the specific prevention techniques for each vulnerability, there are a few more general steps you can take to mitigate website vulnerabilities and protect your business.
- Update and patch – you should always ensure that every application and element of your web presence is updated and patched to the fullest possible degree. Hackers rely on out-of-date applications or unpatched software to gain access to websites, and there is a roaring trade on dodgy message boards and open source application news pages about backdoors, leaky defenses, and vulnerabilities from old software.
- Use a firewall – a web application firewall (WAF) acts as the first and primary barrier between you and malicious actors online; your castle walls and perimeter fences. A firewall filters out unsecure traffic and blocks anything dodgy or harmful, from bots and automated scanners to unauthorized or unauthenticated user inputs.
- Scan for malware – an automated malware scanner tool can filter and check huge volumes of data, and identify potentially problematic malware based on suspicious behavior. Get a malware scanner that automatically identifies vulnerabilities in your site as well and kill two birds with one stone.
Staying on top of your website security is vital when it comes to protecting your business from hackers and breaches. To find out how CompuVision can help protect you and your business, get in touch today and our team will give you the information and support you need to keep every aspect of your online business safe and secure.