No matter what business you're in, your website is effectively your store front. This is especially true if you're an ecommerce firm, but every company needs an effective web presence if they're to attract customers and grow their business.
But if you don't pay close attention, your website could be costing you much more than you realize. If you don't have good security policies in place, this store front may as well be an open window that invites criminals into your organization. Indeed, some estimates suggest that as many as 90,000 websites fall victim to hackers every day.
A compromised website can be hugely harmful to both your reputation and your finances, no matter how big your brand is. For instance, UK privacy regulators recently hit British Airways with a record $230 million (£183 million) fine after its website was compromised by malware last year, which allowed hackers to extract customers' payment card details as they were being entered into the site.
Therefore, it’s essential you're aware of some of the vulnerabilities that could expose your site to hackers. Here are a few of the most common issues and what they could mean for you.
1. SQL Injections
SQL injections aim to target a website's database by inserting code through user inputs. Inputting malicious SQL statements into entry fields that aren't set up to effectively filter out valid queries can allow hackers to access sensitive data such as usernames and passwords, or even modify the database to take over a website.
The best way to avoid this is to set up a whitelist that limits what inputs can be accepted. This is a more efficient approach than blacklisting known SQL inputs, as it will be almost impossible to cover every potential vulnerability with a blacklist.
2. Cross Site Scripting
This can allow them to distribute spam, steal personal data or even hijack a user's computer and redirect them to other malicious sites. As with SQL injections, the risk can be reduced by whitelisting entry fields and encoding inputs so they don’t return HTML tags to the client.
3. Broken Authentication and Session Management
Authentication issues cover a range of flaws that result in websites failing to effectively verify the identity of a user. Every time a user goes to a website, they’ll begin a session, with the website usually creating a cookie and ID for each one.
But if these aren't validated correctly, it could allow a hacker to take over an active session, assuming the identity of a legitimate user to steal data. Therefore, it's vital that all authentication and session management operations follow set frameworks.
4. Security Misconfigurations
Misconfigured web servers and applications are one of the most common problems affecting many websites, and there are a wide range of root causes that can lead to vulnerabilities.
For instance, this can often be something as basic as leaving a default username and password in place for an admin account, running outdated, unpatched software, or having directory listing enabled on the server. Because there are so many small factors to consider, the only way to tackle this is to ensure good security best practices are instilled in employees and followed at all times.
5. Cross-Site Request Forgery (CSRF)
This type of attack essentially tricks users or administrators into performing malicious actions they didn't intend to. A CSRF attack will typically involve forcing a logged-on victim's browser to send a forged HTTP request, including the victim's authentic session cookie and ID, to a vulnerable web application.
It can be particularly damaging to banking and ecommerce sites, as it can be used to change prices, transfer funds between accounts, or change passwords. Adding additional verification such as dynamically-generated hidden tokens can help prevent this type of attack.
6. Insecure Direct Object References
A direct object reference is an internal object (for example, a filename or database key) that’s exposed to the user, often within a website's URL. However, if these objects aren’t secured properly, they can present an attacker with the information they need to gain access to a system.
For example, a password reset function may depend on user input to determine whose password is being changed. But if the username is displayed in the URL, an attacker can simply modify this field to take over an account - including an admin. To prevent this, it’s essential to ensure object references aren't exposed in URLs, and to verify authorization to all such objects.