Rather than having traditional applications installed on local PCs, more and more businesses are choosing to run essential services from the cloud. This increased reliance on web applications and the ever greater volume of financial transactions being carried out online means that the security of websites is more important than ever.
Testing your website security is, therefore, essential. It ensures that data remains confidential and that third-parties can’t tamper with the functionality of the site. In testing the security of a website, there are some key areas that you need to focus on.
Passwords
The hacking of accounts using compromised credentials – either stolen in a phishing attack or due to poor practices leading to weak passwords – is one of the most common causes of data breaches. It’s therefore important to make sure your website passwords can’t be easily cracked.
It’s possible to find lists of common weak passwords online along with password cracking tools so you can check your site’s effectiveness. You should ensure that the site enforces a policy of strong passwords – minimum length and including a mix of lowercase and capitals, numerals and special characters. You also need to ensure that usernames and passwords are stored in encrypted form so that even if they are stolen, they are difficult for a hacker to exploit.
URL manipulation via HTTP
Another key aspect of website security is the way in which information is passed between the client and the server. If an application uses HTTP GET to do this, then it’s possible for a hacker to manipulate the information sent so that users can be sent to a fake version of a website for example. Testing, therefore, needs to check how requests are being sent.
SQL injection
Using SQL injection methods, a hacker can get access to information stored in an online database. This type of attack usually takes place via text boxes on the site, if the user input in a box is passed straight to a query program then it could be vulnerable to SQL injection. You can test for this by entering a single inverted comma (‘) in a text box – if a database error results then your application could be at risk.
When input data is passed to an SQL query it’s possible for an attacker to enter SQL commands and either gain information from the database or cause the application to crash. You can guard against this by configuring the site to reject the input of certain special characters into text boxes.
Cross-site scripting
Cross-site scripting (XSS) attacks can be used to execute a malicious piece of JavaScript code on an end user’s web browser. This can be in order to steal information stored in cookies, to explore user information stored in the browser, or to divert the browser to a malicious URL. In order to prevent XSS attacks, sites should be configured not to accept HTML or script code.
Finally, in carrying out any of these tests, it’s important that they are run on development versions and not on live sites!
