If there is one truism in web security, it is that the bad guys never take a day off. They are constantly probing sites for vulnerabilities, and exploiting the ones that they find.
Here are the biggest security concerns for websites in 2016 and presumably 2017.
1) Injection attacks
A common tactic of hackers these days is to launch an injection attack against targeted sites. This means that they use input fields such as contact forms to issue malicious commands to your SQL server in an attempt to gain control over your site.
Often, this leaves your site’s visitors open to having their browsers hijacked, or you can end up losing data on your server.
In order to avoid falling victim to this sort of attack, make use of whitelists (NOT blacklists) to filter data from sites that aren’t listed on them.
2) Poor authentication protocols
This is often the result of coders that insist on creating their own authentication protocols instead of going with the best ones off the shelf.
Inevitably, the programmer will miss something and will end up leaving an element exposed to a hacker that is looking for these sorts of weaknesses.
For example, the URL’s that these homemade protocols produce might accidentally contain the session ID, passwords might not be encrypted, poor timeout implementation or the lack of a SSL may be make session hijacking easy, etc.
To avoid all this, just go with the best framework on the market, or else be very through when you are coding your own authentication protocol.
TIP: If you are looking to protect yourself, services such as SiteLock might prove useful but make sure you first consider reading theseSitelock reviewsto find out if such a service can really protect your website.
3) Cross site scripting attacks
Cross site scripting, or XSS, is another hacking technique that has become popular among the hacking community in recent years.
Made possible when input fields allow Javascript/HTML commands to be entered into them, it can infect your site with a script that can load malicious content, hijack cookies so that the attackers can view your client’s personal information, or just run annoying content such as an invisible audio file just for laughs (on the attacker’s part).
To prevent this from happening, set up your input fields so that it strips the ability of HTML to be read by the web server.
4) Lax security protocols
This is a more general failure on the part of the webmaster, as it points to a lack of care with regard to thinking with a web security mindset.
This can range from failing to disable directory listing on your server, which can make valuable information visible to the wrong eyes, to failing to update software and plugins.
It can be as bad as not changing default usernames and using predictable passwords, which will provide attackers with the keys to the kingdom, allowing them to take over your entire site.
5) Redirects
While you might have good intentions when it comes to using redirect commands, they are often unnecessary, and it can end up sending your users to a dangerous URL if hackers are able to reprogram this bit of code.
Evaluate whether you really need to use a redirect; if you do, have a static list of locations that are valid for the redirect command, and have a whitelist of input sources that will exclude bad actors from getting in and changing the command.
Kidal Delonix is a contributor to Mr. Hoffman's blog. The views and opinions are entirely his/her own and may not reflect Mr Hoffman's views.
