Unit 28
Website Production
Website security
Problems and resolutions
25 February 2015
What are the threats?
June 18th 2014, The Sunday Times & The Sun websites
Problems
Identify any security issues on advanced websites
Online payments
Intercepting data – Theft of information in transit
Changing data
Hacking username and passwords
Getting information from Cookies
Use of insecure OS
Authentication access to server
Undeleted files
Weak encryption codes
Solutions
Firewalls
Encryption and Secure Socket Layer (SSL)
Monitoring applications
SPAM Prevention:
File naming
Use strong passwords
Website certificates – validates organisation
SQL injection
Inserting SQL commands into username and
login textboxes
Username
Password
www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php
SELECT * FROM users WHERE username = ?USRTEXT '
AND password = ?PASSTEXT?
SQL injection
Inserting SQL commands into username and
login textboxes
`OR 1=1 — Username
Password
www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php
-- signifies ‘comment’
‘ closes the username text field
SELECT * FROM users WHERE username = '' OR 1=1
Google hacks
Get password text files
Some passwords are held in password text
files
inurl:passwd.txt
inurl:passlist.txt
“login: *” “password= *” filetype:xls
Cross Site Scripting attacks -
XSS
Some websites store username and
password in Cookies
XSS gets username and password from the
Cookie
Protection mechanisms
the most important thing after its creation
must be implemented at the stage of development
individual approach taking into consideration: the specific character of the particular web
project.
Protection
No method is 100% foolproof
Majority of attacks are automated -
Block vulnerability checking
Forensically test and recover
http://www.decision-web-design.com/security-
hacking-articles/prevention
Protection
Code scanning – check for unauthorised changes
Known exploits and technique checking
.HTACCESS files
DNS blacklists
Hosting
File & directory permissions
Penetration testing
CAPTCHAS
DDoS – cloud hosting?
Separate files for sensitive data
Be careful with Client-side scripting
High security level for:
website content,
user accounts,
confidential information collected from users
and protection of admin control from illegal capturing.
Requirements
protection from:
spam,
automatic form submission,
use of single account by multiple users, etc.
Also:
not decrease website usability by multiple authorization procedures or slow malicious-code testing mechanisms.
High level of convenience for users.
Methods
encoding of HTML-code or its key parts.
Access control password system
must be invisible through web code i.e. it must be saved in separate file or
database on a web server.
security for site users
Unreliable security system can badly influence your business reputation.
complete protection for users’ personal data,
Much of website protection depends on your hosting service.
TASK
describe the general security risks which
threaten the integrity of data.
Laws and guidelines
Data Protection Act (1998).
Copyright, Designs and Patents Act (1988)
Disability Discrimination Act(1995).
Data Protection Act (1998).
Protects personal information
Information Commissioner
8 principles
Do not allow data to be passed outside the
EU, other than country with laws equivalent
to EU
Copyright, Designs and
Patents Act (1988)
Copyright – protection of intellectual property
©
Disability Discrimination
Act(1995).
Must provide accessibility for your website
Task
define the laws and guidelines which various
types of web-site must conform to.