With the explosive growth of websites and web applications there has been a corresponding growth in the threats they are subject to. Cybercrime activities include access to unauthorized information, identity theft and major banking and credit card frauds. Risks from insecure websites have become an increasingly important issue especially with the growth of Personal Cloud and Vendor Relationship Management communities. While there is no one best checklist of vulnerabilities the OWASP 10 list items which are described below is a good way to start . If you are a head of IT, or even a CEO, the following will give some tough questions for you to ask your web administrator and evaluate how secure your website is depending on his answers.
Q1: Is it possible for a hacker to access my backend databases through my website?
This often happens through an injection where an attacker passes a malicious command to the database to change or delete data through a query. To guard against this, if possible the user should be made to select out of given options ; if not user input data should be filtered and sanitized to prevent malicious code reaching a backend database.
Q2: Can my website be used to attack users?
Cross site scripting, one of the most widespread security vulnerabilities, occurs when an attacker targets a site by inserting malicious Java script or another scripting language into a Web form. When a user accesses the site then the malicious code will be executed in his machine, creating requests that will appear to originate from him or steal private information from him. User submitted content should always be regarded warily and should be filtered before displaying on web pages. The best safeguard is to use a web vulnerability scanner.
Q3: Is the user’s session management safe?
When a user accesses a site a session ID is opened and session IDs do not usually expire immediately as the user exits for reasons of efficiency. Session IDs, and authentication data such as passwords, can be stolen ( stealing the session ID can be as damaging as the other). One common way this is done is by a third party ‘sniffing’ IP packets by getting them routed through his machine. It is preferred that developers use tried and tested authentication and session management schemes rather then custom built ones.
Q4: Can the data in my files be targeted by hackers ?
Internal Direct Object References occur when an internal object in a system such as a file, directory or database record is exposed to external parties by using its actual name. By a simple alteration hackers can then access or change data they are not authorized to access. To avoid this all resources should have a security level and all access to a resource having a particular security level should go through the same security check. Back end applications should also double check access rights. Web sites should also use per user or per session indirect object references.
Q5: Can malicious outsiders impersonate trusted users of the site?
This, which is known as Cross site request forgery, occurs when malicious commands are transmitted by a user who has dealings with the site, and so the site has some trust in him. System administrators in particular are vulnerable to this threat. The attacker will send the administrator a dummy web page to login to; thereafter he can issue commands fooling the site into thinking the commands came from the administrator. To guard against this an unique token should be included in every session.
Q6: Is the website configured in a secure way? Is hardening done?
The security configuration of most sites is usually based on some kind of framework such as Weblogic, Spring etc. All security patches issued should be quickly applied and dependencies should also be kept up to date. Security holes in software provide an excellent opportunity for hackers. One pitfall here is that developers frequently compromise on security to make a system up and running, and it should be ensured that they have hardened the system sufficiently.
Q7: Is sensitive data stored securely?
Many applications have sensitive data such as credit card numbers and passwords and it is imperative that they should be safeguarded from unauthorized access. All such data should be encrypted with an encryption algorithm strong enough to meet the threats. You should be circumspect when granting access to decrypted data.
Q8: Is there any security risk arising from URL’s given by my site to users?
URL’s pertaining to a particular user are also a potential hazard as he could try to guess at other similar URL’s and gain access to unauthorized data. Authentication checks should be done on URL’s both at front end and back end to prevent this. Such access control should be independent of the web application.
Q9: Are all the components up-to–date in my website?
Software components such as libraries and frameworks are also vulnerable to attack which can cause data loss or takeover. If you are using third party components ensure that they are up to date. If you are using an open source software which does not issue patches ensure that you have the latest version. The security of such components should be monitored by public databases, security mailing lists etc.
Q10: What are the dangers of having links provided by users on my site?
Websites often direct users to other websites or pages by way of links, and may unwittingly direct them to phishing ( a bogus e-mail masquerading as being from a legitimate party) or malware sites. The best way to avoid this is to refrain from using redirects and forwards. If they are used, as far as possible you should avoid the destination being determined by user parameters. If destination parameters are used they should be validated and ensured that they are user authorized.
The cyber world is a continuously evolving one and no checklist can give absolute security nor will it be valid beyond a limited period. The criminals too are getting smarter all the time. Therefore it is imperative that you keep up to date, on emerging security challenges and continuously improve your security system.