Website security overview

by - posted

Website security overviewWebsite security overview

The idea behind this article is to show you the whole picture of Website security. This concerns the Website itself as well as the underlying infrastructure. I explain attack vectors, protection strategies and procedures. You will also learn what tools you can use to find weaknesses on your Website and infrastructure. If you are interested in more details about secure programming and securing the underlying infrastructure read my documents PHP security introduction or Secure form step by step.


A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as “weak passwords” or as complex as “buffer overflows” or “SQL injection”.

To take advantage of a vulnerability, you often need an exploit. This is a small and highly specialized computer program who takes advantage of a specific vulnerability and who provides access to a computer system. Exploits often deliver a payload to the target system in order to grant the attacker access to the system.

A payload is the piece of software that lets you control a computer system after it has been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there.


Website security testing is also known as Website security scanning, Website security audit, Website vulnerability scanning.

First of all, you have to define in which situation your Website is. Based on that you can evaluate the security risk you have to deal with.

Website                    Host type    Host security risk          Application security risk
Static Website          shared       low (*)                             no
Dynamic Website    shared        low (*)                            depends on the programming

Static Website         dedicated   sysadmin (*)                   no
Dynamic Website    dedicated   sysadmin (*)                   depends on the programming

(*) depends on the know-how

It is a misunderstanding that hosts or web applications can be 100% secure. Even after performing the most extensive and advanced security tests (manual and/or automatic) and taking extra security measures, a host or web application potentially still stays vulnerable.
A web application has to deal with a great number of potential vulnerabilities and threats. But you can minimize the chance for a hacker to successfully exploit your web application.

Technically, the same programming that increases the value of a Website also allows malicious scripts or SQL commands to be executed on your web server. Any web-based form or script installed on your Website may have weaknesses or outright bugs. All these issues present a web security risk.

Vulnerability assessment and penetration testing

A vulnerability assessment looks for known vulnerabilities in a computer system and reports potential exposures/vulnerabilities. The VA is mostly done by a scanner. Vulnerability scanning should be done continuously; keep an eye after changes on your computer system.

Vulnerability Assessments follow usually these steps
1. Catalog assets and resources in a system
2. Assign quantifiable value and importance to the resources
3. Identify the security vulnerabilities or potential threats to each resource
4. Mitigate or eliminate the most serious vulnerabilities for the most valuable resources

Penetration testing is designed to actually exploit/report weaknesses in the architecture of your systems. The PT is done by scanners and tools the pen tester designed. Pen testing should be done once a year.

Penetration testing follows usually these steps
1. Determination of scope
2. Targeted information gathering or reconnaissance
3. Exploit attempts for access and escalation
4. Sensitive data collection testing
5. Clean-up and final reporting

In general, you should start with vulnerability assessment. Based on this results, you will improve your computer system. Finally, you will do pen tests to see if your systems are secure.

Vulnerabilities hit list

Research shows that a stunning 64% of all Websites/web applications contain vulnerabilities. Cross-Site Scripting and Information Leakage prove to be most frequent vulnerabilities in the web applications.

See also OWASP top ten :

What are hackers looking for ?

Every system or web application on the Internet is a potential target. The Internet is being scanned by hackers 24/7 to find vulnerable systems and web applications, regardless of the size of your organization.

A brief overview of ways in which hackers can abuse systems:

1. Spam
Sending out millions of unsolicited emails. Spammers can cause severe damage, use all your bandwidth, cause a bad reputation for your organization or disrupt your complete email traffic by becoming blacklisted.

2. Storage
Illegal software, music, video and images take costly bandwidth, but could also result in having your system being taken off-line by the government for further investigation.

3. Distribution of malware
The most prominent reason for hackers. Your application will be used to infect visitors with malware. When infected, hackers have total control over the customer’s computer. This can cause blacklisting by search engines like Google and harm the reputation of your organization.

4. Jump point
Your system will be used to hack other systems. The attack will lead back to your system, having consequences for you and your organization.

5. Data Harvesting
A direct attack to steal valuable customer and company information. For example: credit card numbers, login credentials, email addresses and social security numbers. and more…

Basic protection measures

In the list below, you will find the main targets and the basic protection measures to secure them.

TARGETS                                SECURE

The web application             is programmed with security in mind + updated

The Website/blog                  is programmed with security in mind + updated

The (PHP) interpreter            is up to date + security patched

The database                        run a real time DB firewall

The web server software     is up to date + security patched + correct settings

The operating system          is up to date + security patched + correct settings

The web server hardware   is physically secured + trustworthy administered

The network                         has tight permissions

Your web server should run a firewall,  an anti-virus software, an Intrusion Detection System (IDS) and a Web Application Firewall (WAF).

Use SSL per default.

Do on a regular basis : a network vulnerability scanning, a web application vulnerability scanning as well as pen testing.

The most secure way is to run your web application OFF line. Ok, this was a joke, but it’s true !

Web security procedure

Web application vulnerability scanner

Introduction from OWASP

Web Application Vulnerability Scanners are the automated tools that scan web applications to look for known security vulnerabilities such as cross-site scripting, SQL injection, command execution, directory traversal and insecure server configuration. A large number of both commercial and open source tools are available and and all these tools have their own strengths and weaknesses.

Scanner list

14 open source scanners
Cloud based vulnerability scanning

Scanning “by hand”

Try to compromise your Website by altering POST/GET values. A debugging proxy can assist you here, as it allows you to intercept the values of an HTTP request between your browser and the server. A popular freeware application called Fiddler is a good starting point.
So what should you be trying to alter on the request? If you have pages which should only be visible to a logged-in user then I would try changing URL parameters such as user id, or cookie values in an attempt to view details of another user. Another area worth testing are forms, changing the POST values to attempt to submit code to perform XSS or to upload a server side script.

Web application testing methodology

Follow the very detailed and structured methodology based on the OWASP Testing Guide for performing Web Application Security Assessments. This methodology provides a high level of assurance that all necessary areas of the application are tested and as many issues as possible are found.
Security assessments must be approached with a hacker mindset and the methodology exploiting vulnerabilities and misconfigurations in the web application. Only this will lead to significant security results. This is the best way to approach Web application testing.

Web application security design and testing checklists

Web application security starts (of course) with the design. The Wiki Books document is a guideline for programmers. The OWASP document describes black box security testing. The SANS document is for IT professionals who are not programmers.

Wiki Books
SANS Institute

Penetration test tools

Penetration testing is also known as pen testing (security testing). The main objective of penetration testing is to gain access to a computer system, a network or a web application. This access could then be used/exploited by an attacker or better be secured/closed by the security administrator. Pen tests can be automated or they can be performed manually.

Pen test tools

Pentest Tools

Linux distributions for penetration testing

Kali Linux
Black Arch

Network vulnerability scanner

A network vulnerability scanner is a program designed to scan networks for weaknesses.

Some examples


List of scanners

6 free scanners
Open Foundry

Protect the Website from spam

Set up a Google Alert for your Website to be notified when spam related keywords are detected on your Website.
Example on an entry in Google Alert : [ (viagra|cialis|casino|payday loans)]


Yes, I know, the “do a backup” mantra is annoying, but there are too many people outside in the wild, which do not backup their Website (and data as well!). Be a good example and do it before your Website is hacked ! Do the backup on a regular basis.

If you enjoyed this article, you can :

– get post updates by subscribing to our e-mail list

– share on social media :