Biz & IT —

Securing your website: A tough job, but someone’s got to do it

Website breaches can be devastating to your business—here's how to prevent them.

Securing your website: A tough job, but someone's got to do it

In 2006, members of a notorious crime gang cased the online storefronts belonging to 7-Eleven, Hannaford Brothers, and other retailers. Their objective: to find an opening that would allow their payment card fraud ring to gather enough data to pull off a major haul. In the waning days of that year they hit the mother lode, thanks to Russian hackers identified by federal investigators as Hacker 1 and Hacker 2.

Located in the Netherlands and California, the hackers identified a garden-variety flaw on the website of Heartland Payment Systems, a payment card processor that handled some 100 million transactions per month for about 250,000 merchants. By exploiting the so-called SQL injection vulnerability, they were able to gain a toe-hold in the processor's network, paving the way for a breach that cost Heartland more than $12.6 million.

The hack was masterminded by the now-convicted Albert Gonzalez and it's among the most graphic examples of the damage that can result from vulnerabilities that riddle just about any computer that serves up a webpage. Web application security experts have long cautioned such bugs can cost businesses dearly, yet those warnings largely fall on deaf ears. But in the wake of the Heartland breach there was no denying the damage they can cause. In addition to the millions of dollars the SQL injection flaw cost Heartland, the company also paid with its loss of reputation among customers and investors.

The incident was hardly an anomaly. In the years that followed, a crop of other websites big and small have fallen victim to attacks that exploit SQL injection bugs, cross-site scripting flaws, and a series of other vulnerabilities. These small openings allow attackers to inject malicious code into an end user's browser or hijack a Web server altogether. Last month, the website for Reporters without Borders was commandeered so attackers could surreptitiously install malware on the computers of visitors. Attacks who exploit website flaws so the perpetrators can infect their visitors have grown so common they've given rise to the term watering hole attacks. The name comes because the hackers are like hunters who camp out at ponds in wait of thirsty prey in need of something to drink.

Odds are...

What all of this means is that unless you've recently had a professional security team audit your website, chances are it's susceptible to a host of vulnerabilities.

According to the most recent ranking of the top 10 vulnerabilities by the Open Web Application Security Project, the most common website threats include:

Injection

These occur when Web apps send user input and other untrusted data to an interpreter, such as a SQL database. Attackers like those working for Gonzalez find these bugs using scanners and can exploit them to steal password tables or other sensitive data. The flaws can also be milked to carry out denial of access attacks or even completely take over the underlying Web server. Individual vulnerabilities can be so numerous they're often akin to garden weeds that are hard to completely eradicate. The best way to prevent them is to rely on Web apps that sanitize user input before handing it off to a back-end server. Owasp's preferred way of avoiding injection attacks is to employ "a safe API which avoids the use of the interpreter entirely or provides a parameterized interface."

Cross-site scripting

Abbreviated as XSS, these flaws occur when Web apps send user-supplied data to a browser without properly validating or, if necessary, escaping it. Attackers exploit them to send JavaScript fragments that steal browser cookies used to authenticate an end user to an e-mail account or other restricted service. The flaws can also be exploited to deface websites, redirect users to other sites, or even use malware to hijack a user's browser. XSS bugs are avoided by ensuring that all user-supplied input returned to the browser is verified as safe or escaped so that it's no longer dangerous.

Broken authentication and session management

These errors reside in apps used to log users in to restricted parts of a site. Typically, they're found in custom-developed schemes that make some sort of critical error, such as requiring a session ID that is easy to guess or included in the URL. As their name implies, they result in such schemes not working the way they're supposed to, allowing attackers to take unauthorized control of user accounts and perform any action the valid user would, including deleting sensitive e-mail or data. The best way to keep clear of these vulnerabilities is to avoid custom-developed schemes in favor of one that has been well tested.

Insecure direct object references

These flaws stem from Web apps that use the actual name or key of an object in a URL when generating a page. In some cases, attackers can exploit these to gain powerful administrator privileges, simply by modifying some of the URL text. To prevent such errors, websites should use per-user or session indirect object references, which can't be manipulated.

Cross-site request forgery

CSRF exploits use fake websites to generate forged HTTP requests that attack end users of a vulnerable website. Attackers exploit these mistakes to force an end user to execute unwanted actions on a website she's already logged into. Exploits can force the victim to unwittingly delete e-mails or carry out any other authorized operation. Attacks can be especially devastating when the affected end user controls the administrator account. To prevent CSRF vulnerabilities, Web apps should employ unpredictable tokens in the body or URL of each HTTP request and should be unique per user session or per request.

Next, the five other major website security pitfalls and some final thoughts on precautions to take.

Channel Ars Technica