WSO Request - Html Website Security - For all you technical geniuses out there ...

Figured I'd save you a few sheckles and right up something really quick. If you have additional questions, just ask and I'd be happy to answer them...

Recently, viruses are no longer simply the product of lone coders in their mother's basement. Many viruses are the brainchild of large criminal enterprises aimed primarily at identity theft.

Luckily, most static or custom sites are substantially less vulnerable to attack because they typically require an in depth security analysis to determine vulnerabilities (beyond basic attacks, which I will outline now).

Basic attacks and how you can defend against them:

//Note - All of these are coding specific, so if you aren't coding your sites, just make sure your developer is fixing these security holes//

1) MySQL injections.

This occurs when variables aren't checked before querying your database. Some updates to how MySQL handles queries help prevent this, but also if you're using scripts provided by a company like Aweber or OSTicket, this has been taken care of you.

Example: Your page url is yoursite. com/posts.php?ID=5
If you're taking the variable of ID as 5 directly from the url and are querying the database, such as: mysql_query("SELECT * FROM posts WHERE ID = '$ID'" Then you're vulnerable to this type of attack. If someone goes to yoursite. com/posts.php?ID=5';drop posts;, then your mysql query actually turns into two distinct queries, the first actually retrieving the results of where your ID equals 5, but the second one ("DROP posts") deletes your entire database of post entries!

You can avoid this by cleaning variables before you query the database for them. You can do this by using the PHP command mysql_real_escape_string($var) to fix potential MySQL injections.

2) Session Hijacking

People can phish live sessions on your website very easily. A potential hijacker can send out the the link yourdomain. com/membersarea.php?PHPSESSIONID=5555, and if one of your users follows that link and then logs in, all the hijacker has to do is follow that link and they will be in that users account!

This is also an easy fix, but most programmers (in my experience) do not include protections against session hijacking in thier code. In my pages where people are logged in, after checking to make sure they are logged in, I check their IP and their Useragent against the IP and Useragent they logged in with. If there is a discrepancy, a new error comes up and they can no longer access areas requiring a login.

Again, if you're using commercial scripts, this likely isn't a problem, but if you're in doubt, it is best to contact the producer of the script to make sure.

3) File Uploads!

You simply have to limit what kind of files can be uploaded to your site by the public. If you're allowing users to upload files, you need to limit the upload types to only those relevant to what they may be uploading - for example, if they are uploading pictures, only allow jpgs, jpegs, gifs, bmps, and pngs.

This too is very easy to fix and there are tutorials all over the internet for it. You have to get the true extension of an uploaded file and check it against an array of allowable upload types.

///Programming stuff is over///

Follow these steps to secure your site from hackers.

Email your hosting provider to ask if you can have access to your website limited to only your IP. Some companies will be able to do this, others will not think it is worth the trouble.

Make sure you're keeping your Windows files updated as well as your virus definitions. Set your computer to look for updates once a day and scan your computer for viruses at least once per week. Using Trend Micro HouseCall and MalwareBytes will provide a good defense. When you're scanning, make sure you're doing full computer scans, rather than their preset scans which do not cover your entire hard drive.

Before uploading a file, go to virustotal. com. Upload your file via SSL (it is a check box on the page). It scans the file with several different anti-virus scanners.

Connect to your website via SFTP. Any FTP program will offer this option.

Upload your files!


Answers to some of your questions:

Should I use an SSL certificate?

Unless your users are passing sensitive data to you (credit card numbers, SSNs, etc), a SSL certificate is not required. It is also unlikely that a SSL certificate would protect your users from modern virus threats that propagate through websites. Typically viruses will create an iframe in your pages that iframes one of their sites that uses browser exploitations to load malicious software on your users sites. SSL does not stop this.


What permissions should I use for my files?

For individual files, use 644. For folders use 755. There are virtually no reasons to ever have wider permissions. If a script needs you to change them for installation, remember to change it back afterward.


Robots?

Most pages don't need a robots tag. Only use the robots tag on pages where you specifically do not want them to read your information. Additionally, you can secure your page by telling search engine spiders to not follow links on the current page either. To accomplish this, put <meta name="robots" content="noindex, nofollow" /> in between the <head></head> tags on your page.


Blank Index File in folders?

Yes! You can limit viewers to not see a list of pages in a folder if you don't have an index.html file, but if you ever change hosts or copy and paste a folder, sometimes these limits can be lost. It is safest to always include a blank index.html file in your folders.


Right Click Stopper?

Well, fortunately, server side code, like PHP or ASP, for example, does not ever get shown to people right clicking to view the source. All of those functions happen at the server level BEFORE the viewer is able to load the webpage. What happens is that all of that PHP or ASP code is rendered into pure HTML, so your users often never even realize PHP is being used!

However, I would advise against a right click stopper. For one, it makes users angry. But also, your source is available by going to the "View" menu in their browsers and selecting "Page Source" .. Finally, if someone wants the source code to your pages, they will get it. I can write a program in about 30 seconds that will get the interpreted source code to any page.

Very informative post, Jason. Nice contribution.

It;s good that you want to know.. but I am not sure how the market needs and also any technical things behind it...

Wow, Jackson, thank you so much!! You are a star. That must have taken you some time, I really appreciate it

Could I take you up on the offer of another question?

I am coding my sites myself, but I am using html for everything I write (limit of my skills), and commercial scripts whenever I need to do something fancy. MySQL injections would be taken care of by the script, I don't have customers logging in, and there is no way for them to upload files.

If I understand you right, there is not too much vulnerability to attack with my kind of site. My question is - would it be enough to just check my sites are running OK daily? Or could they be hacked invisibly and seem to be OK but actually are not? Bit of a funny question but I really do not have a handle on this kind of technical stuff yet!

And is it a good idea to run the free version on Acunetix on my sites - or really not worth it?

Cross Site Scripting scanner ? Free XSS Security Scanner

It would be a good idea to periodically check your sites for any kind of problem. I would say the best way to check your sites is to your go to it, right click to view source, and look for any extra javascript that you didn't put there.

This the probably the only thing you'd really need to worry about with your sites.

If scanning with Acunetix helps you feel good/like you're promoting strong business practices/keeping your users safe, definitely use it. Using it will never be a bad thing. It can't hurt your site to scan it every day.