The idea behind this article is to show you the whole picture of Website security. This concerns the Website itself as well as the underlying infrastructure. I explain attack vectors, protection strategies and procedures. You will also learn what tools you can use to find weaknesses on your Website and infrastructure. If you are interested in more details about secure programming and securing the underlying infrastructure read my documents PHP security introduction or Secure form step by step.
Definitions
A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as “weak passwords” or as complex as “buffer overflows” or “SQL injection”.
To take advantage of a vulnerability, you often need an exploit. This is a small and highly specialized computer program who takes advantage of a specific vulnerability and who provides access to a computer system. Exploits often deliver a payload to the target system in order to grant the attacker access to the system.
A payload is the piece of software that lets you control a computer system after it has been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there.
Introduction
Website security testing is also known as Website security scanning, Website security audit, Website vulnerability scanning.
First of all, you have to define in which situation your Website is. Based on that you can evaluate the security risk you have to deal with.
Website Host type Host security risk Application security risk
—————————————————————————————————————————–
Static Website shared low (*) no
Dynamic Website shared low (*) depends on the programming
Static Website dedicated sysadmin (*) no
Dynamic Website dedicated sysadmin (*) depends on the programming
(*) depends on the know-how
It is a misunderstanding that hosts or web applications can be 100% secure. Even after performing the most extensive and advanced security tests (manual and/or automatic) and taking extra security measures, a host or web application potentially still stays vulnerable.
A web application has to deal with a great number of potential vulnerabilities and threats. But you can minimize the chance for a hacker to successfully exploit your web application.
Technically, the same programming that increases the value of a Website also allows malicious scripts or SQL commands to be executed on your web server. Any web-based form or script installed on your Website may have weaknesses or outright bugs. All these issues present a web security risk.
Vulnerability assessment and penetration testing
A vulnerability assessment looks for known vulnerabilities in a computer system and reports potential exposures/vulnerabilities. The VA is mostly done by a scanner. Vulnerability scanning should be done continuously; keep an eye after changes on your computer system.
Vulnerability Assessments follow usually these steps
1. Catalog assets and resources in a system
2. Assign quantifiable value and importance to the resources
3. Identify the security vulnerabilities or potential threats to each resource
4. Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
Penetration testing is designed to actually exploit/report weaknesses in the architecture of your systems. The PT is done by scanners and tools the pen tester designed. Pen testing should be done once a year.
Penetration testing follows usually these steps
1. Determination of scope
2. Targeted information gathering or reconnaissance
3. Exploit attempts for access and escalation
4. Sensitive data collection testing
5. Clean-up and final reporting
In general, you should start with vulnerability assessment. Based on this results, you will improve your computer system. Finally, you will do pen tests to see if your systems are secure.
Vulnerabilities hit list
Research shows that a stunning 64% of all Websites/web applications contain vulnerabilities. Cross-Site Scripting and Information Leakage prove to be most frequent vulnerabilities in the web applications.
See also OWASP top ten : https://www.owasp.org/index.php/OWASP_Top_Ten_Project
What are hackers looking for ?
Every system or web application on the Internet is a potential target. The Internet is being scanned by hackers 24/7 to find vulnerable systems and web applications, regardless of the size of your organization.
A brief overview of ways in which hackers can abuse systems:
1. Spam
Sending out millions of unsolicited emails. Spammers can cause severe damage, use all your bandwidth, cause a bad reputation for your organization or disrupt your complete email traffic by becoming blacklisted.
2. Storage
Illegal software, music, video and images take costly bandwidth, but could also result in having your system being taken off-line by the government for further investigation.
3. Distribution of malware
The most prominent reason for hackers. Your application will be used to infect visitors with malware. When infected, hackers have total control over the customer’s computer. This can cause blacklisting by search engines like Google and harm the reputation of your organization.
4. Jump point
Your system will be used to hack other systems. The attack will lead back to your system, having consequences for you and your organization.
5. Data Harvesting
A direct attack to steal valuable customer and company information. For example: credit card numbers, login credentials, email addresses and social security numbers. and more…
Basic protection measures
In the list below, you will find the main targets and the basic protection measures to secure them.
TARGETS SECURE
The web application is programmed with security in mind + updated
The Website/blog is programmed with security in mind + updated
The (PHP) interpreter is up to date + security patched
The database run a real time DB firewall
The web server software is up to date + security patched + correct settings
The operating system is up to date + security patched + correct settings
The web server hardware is physically secured + trustworthy administered
The network has tight permissions
Your web server should run a firewall, an anti-virus software, an Intrusion Detection System (IDS) and a Web Application Firewall (WAF).
Use SSL per default.
Do on a regular basis : a network vulnerability scanning, a web application vulnerability scanning as well as pen testing.
The most secure way is to run your web application OFF line. Ok, this was a joke, but it’s true !
Web security procedure
Web application vulnerability scanner
Introduction from OWASP
Web Application Vulnerability Scanners are the automated tools that scan web applications to look for known security vulnerabilities such as cross-site scripting, SQL injection, command execution, directory traversal and insecure server configuration. A large number of both commercial and open source tools are available and and all these tools have their own strengths and weaknesses.
Scanner list
14 open source scanners
Cloud based vulnerability scanning
Scanning “by hand”
Try to compromise your Website by altering POST/GET values. A debugging proxy can assist you here, as it allows you to intercept the values of an HTTP request between your browser and the server. A popular freeware application called Fiddler is a good starting point.
So what should you be trying to alter on the request? If you have pages which should only be visible to a logged-in user then I would try changing URL parameters such as user id, or cookie values in an attempt to view details of another user. Another area worth testing are forms, changing the POST values to attempt to submit code to perform XSS or to upload a server side script.
Web application testing methodology
Follow the very detailed and structured methodology based on the OWASP Testing Guide for performing Web Application Security Assessments. This methodology provides a high level of assurance that all necessary areas of the application are tested and as many issues as possible are found.
Security assessments must be approached with a hacker mindset and the methodology exploiting vulnerabilities and misconfigurations in the web application. Only this will lead to significant security results. This is the best way to approach Web application testing.
Web application security design and testing checklists
Web application security starts (of course) with the design. The Wiki Books document is a guideline for programmers. The OWASP document describes black box security testing. The SANS document is for IT professionals who are not programmers.
Wiki Books
OWASP
SANS Institute
Penetration test tools
Penetration testing is also known as pen testing (security testing). The main objective of penetration testing is to gain access to a computer system, a network or a web application. This access could then be used/exploited by an attacker or better be secured/closed by the security administrator. Pen tests can be automated or they can be performed manually.
Pen test tools
Pentest Tools
metasploit
netsparker
OpenVAS
Rapid
Linux distributions for penetration testing
Network vulnerability scanner
A network vulnerability scanner is a program designed to scan networks for weaknesses.
Some examples
OpenVAS
CodePlex
nmap
nessus
acunetix
List of scanners
Protect the Website from spam
Set up a Google Alert for your Website to be notified when spam related keywords are detected on your Website.
Example on an entry in Google Alert : [site:example.com (viagra|cialis|casino|payday loans)]
Backup
Yes, I know, the “do a backup” mantra is annoying, but there are too many people outside in the wild, which do not backup their Website (and data as well!). Be a good example and do it before your Website is hacked ! Do the backup on a regular basis.