Articles > Information Security
Network Protection vs. Secure Code
Firewalls and similar devices are important for protecting your website, but they are never enough by them selves! Ultimately whether a website is easily hacked or not will come down to how secure the website code is written! Do not be lazy, code securely or expect your website to be under someone else's control!
Code Injection:
The most basic and common attack against a website is SQL injection.
First, a basic understanding of SQL injection is a good idea:
http://en.wikipedia.org/wiki/Sql_injection
The first rule to prevent SQL injection is to always validate/sanitize your input to make sure it contains only the information you expect. If you are expecting the variable docid to be the number "11" don't ever accept and query your database when docid is set to "11; drop tables;--" or when docid is set to anything that is not a whole number like you expect!
Another form of code injection is include file injection. This one hits close to home, because it hurt me directly once. Here is some info on include file injection: http://en.wikipedia.org/wiki/Code_injection#Include_file_injection
The best way to defend against this, is to not use input from user sources (url, forms, cookies, etc...) when loading an include file. If you must use user input to load an include file then always verify that the input is truly a local file on your local server that you put there.
Cross Site Scripting (XSS)
XSS is another common form of code injection. http://en.wikipedia.org/wiki/Cross-site_scripting
Again, sanitize user input and don't reflect user input back to a page unless necessary.
Server Side Validation is King!
Client side validation is good, but server side validation is always required, in addition to client side validation!!! Using only client side validation is VERY dangerous!
Unncessary Open Ports: Exploiting an open port that is not properly secured or disabled. Is your web server running FTP over TCP port 21 when it doesn't need to? Is your SSH password on port 22 complex and secure? Do you know every single user who is authorized to use SSH?
Denial of Service: This is the hardest one to defend against. This normally involves enormous amounts of fake traffic hitting your web server to make it crash or to just prevent real traffic from reaching your server. Talk to your ISP about helping you if you are having a DOS attack problem. Also, consider special network hardware that handles DoS and DDoS attacks. (http://www.fortinet.com/)
Consider IDS and/or IPS: Intrusion detection and intrusion prevention are great things if you website suffers from attack from bots, viruses, hackers, etc... Most website get attacked more than they know! Fortinet has good IPS for businesses of all sizes (http://www.fortinet.com/)
Unpatched or outdated Software: If you use a content management system like joomla or any of the other million CMS's, make sure you keep them up to date. They can have security holes in their code that you cannot patch, because you didn't write the code. When I say CMS I am referring very broadly to any third party app that helps power your website. Examples: Joomla, PHPbb, PDF plugins, email apps, chat programs, .NET Framework, etc... Also, make sure your web server software (apache, IIS, etc..) is patched. They have flaws too.
Hide Errors: Errors on your website can give away sensitive information about your website. When possible don't output full errors to the public and use custom error pages.
Robots.txt: Learn what a robots.txt file is and how to use it. You can prevent sensitive parts of your website from showing up on search engines like google.
Disable Directory Listings: Don't show users all the files on your site! They may not be very nice once they know where all your files are.
How to protect your website from hackers
Last Updated: 9/20/14Network Protection vs. Secure Code
Firewalls and similar devices are important for protecting your website, but they are never enough by them selves! Ultimately whether a website is easily hacked or not will come down to how secure the website code is written! Do not be lazy, code securely or expect your website to be under someone else's control!
Code Injection:
The most basic and common attack against a website is SQL injection.
First, a basic understanding of SQL injection is a good idea:
http://en.wikipedia.org/wiki/Sql_injection
The first rule to prevent SQL injection is to always validate/sanitize your input to make sure it contains only the information you expect. If you are expecting the variable docid to be the number "11" don't ever accept and query your database when docid is set to "11; drop tables;--" or when docid is set to anything that is not a whole number like you expect!
Another form of code injection is include file injection. This one hits close to home, because it hurt me directly once. Here is some info on include file injection: http://en.wikipedia.org/wiki/Code_injection#Include_file_injection
The best way to defend against this, is to not use input from user sources (url, forms, cookies, etc...) when loading an include file. If you must use user input to load an include file then always verify that the input is truly a local file on your local server that you put there.
Cross Site Scripting (XSS)
XSS is another common form of code injection. http://en.wikipedia.org/wiki/Cross-site_scripting
Again, sanitize user input and don't reflect user input back to a page unless necessary.
Server Side Validation is King!
Client side validation is good, but server side validation is always required, in addition to client side validation!!! Using only client side validation is VERY dangerous!
Unncessary Open Ports: Exploiting an open port that is not properly secured or disabled. Is your web server running FTP over TCP port 21 when it doesn't need to? Is your SSH password on port 22 complex and secure? Do you know every single user who is authorized to use SSH?
Denial of Service: This is the hardest one to defend against. This normally involves enormous amounts of fake traffic hitting your web server to make it crash or to just prevent real traffic from reaching your server. Talk to your ISP about helping you if you are having a DOS attack problem. Also, consider special network hardware that handles DoS and DDoS attacks. (http://www.fortinet.com/)
Consider IDS and/or IPS: Intrusion detection and intrusion prevention are great things if you website suffers from attack from bots, viruses, hackers, etc... Most website get attacked more than they know! Fortinet has good IPS for businesses of all sizes (http://www.fortinet.com/)
Unpatched or outdated Software: If you use a content management system like joomla or any of the other million CMS's, make sure you keep them up to date. They can have security holes in their code that you cannot patch, because you didn't write the code. When I say CMS I am referring very broadly to any third party app that helps power your website. Examples: Joomla, PHPbb, PDF plugins, email apps, chat programs, .NET Framework, etc... Also, make sure your web server software (apache, IIS, etc..) is patched. They have flaws too.
Hide Errors: Errors on your website can give away sensitive information about your website. When possible don't output full errors to the public and use custom error pages.
Robots.txt: Learn what a robots.txt file is and how to use it. You can prevent sensitive parts of your website from showing up on search engines like google.
Disable Directory Listings: Don't show users all the files on your site! They may not be very nice once they know where all your files are.
Keywords: protect your website, hackers, sql injection, viruses, bots,