I frequently see comments on various security forums from webmasters after a compromise wondering how their sites could possibly have been attacked. In discussions with some of the webmasters that have been affected with some of these issues, I have found that most are unaware of simple and free steps that can be taken to help protect a web site. This is purely preventative, but when it comes to web site security, prevention is the most important element.
DISCLAIMER: This information is for educational purposes only. Check with your hosting company before using ANY of the software I mention to ensure it is allowed under their policies. Any misuse of this information, and any damage resulting from your use of this information is solely your responsibility.
One of the simplest and most important things to do is make sure you are on the mailing list for every piece of third party software you use so you know about security patches as soon as they are released. It is important to keep the software on your site up to date.
The next thing to do is hack your server. There are a few tools that malicious users use to find ways of gaining access to a web server. By using these tools yourself, you can find many of the same problems before you are attacked. Nessus is the most commonly used tool for finding vulnerable software on the Internet. In fact, this program forms the basis of most commercial vulnerability scanners and is available for free. Nessus can be downloaded from http://www.nessus.org/ although you need to register (for free) to get the program and updates. You want to download these updates so that every time you use the scanner it looks for the most recently known vulnerabilities.
Finally, there is a range of attacks that are hand coded. In most cases, these attacks are done by editing the requests sent to your server. This can be accomplished in two ways. The easiest is to install a Firefox plug-in (if you use Firefox) called HackBar. This can be installed from the Firefox plug-in library or by searching Google. This software allows you to edit the requests you send to a web server to test how well the server and scripts validate incoming data, while bypassing any security features of the web browser and any JavaScript validation. The other method is to install a proxy program called Paros Proxy. This program enables you to change the data being sent between your browser and the remote server, as well as seeing the raw data. This tool is also useful for testing redirects. A few searches on the web for “cross site scripting,” “SQL injection” and “buffer overflow” should give you plenty of ideas of things to try. This is the best way to test scripts that you have created yourself to ensure that those scripts are as secure as possible.
One often overlooked element of web site security is the validation of input on web forms. Javascript is useless for validating input, as the previous paragraph shows two easy ways to get around it. Your scripts should follow a simple formula: trust nothing, validate everything.
Bear in mind, all of the technology I describe is intended to demonstrate possible problems. This will not fix any issues. However, you should be able to find where you are vulnerable and make the appropriate corrections. Obviously this is no replacement for a full security analysis, but this will give you a starting point. Also, note that these methods are less likely to find security issues in custom made scripts. For that, you should consult a security consultant or a programmer who has experience securing applications in whatever programming language you are using.
February 23, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment