web hosting

Browsers Aiding in Website Attacks

Website attacks are on the rise with intruders using an array of hacking techniques from cross site scripting to SQL injection.  Although careless development and insecure applications play a major role in a site’s vulnerability, the typical web browser is a contributing factor as well.

Despite the fact that several improvements have been made, none of the top web browsers are completely secure.  Because of this, many web security experts are projecting that website attacks will continue to be an issue.  The combination of enhanced functionality and the lack of adequate security implementations have left a number of browsers vulnerable to sophisticated attacks.  Some researchers are saying that the increasing number of exploits is the direct result of Web 2.0 technologies and advanced web hosting features.

Evolution in Technology Opens Doors to Further Threats

Things were fairly innocent in the early days of the internet when static pages were prevalent, before technologies such as JavaScript and Active X came into play.  Today’s World Wide Web is dominated by dynamic web-based applications and complex server-side scripting languages, factors that enable browsers to be used in various ways to exploit websites.  Gary McGraw of Cigital, a software security company, agrees that these feature-rich designs have made browsers far less secure, stating that they are structured more like complete operating systems.

This past September Google released Chrome, its new web browser which was immediately faced with stiff competition in the form of Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera.  While internet users have a wide variety of browsers to choose from, the options are still limited in terms of security, including Chrome.  Experts contend that the browser war of who can out do one another in the feature department is what ultimately leads to these security vulnerabilities.

Though quite serious, the security issues associated with today’s popular web browsers are not attributed to a lack of effort.  Some say that developers are doing all they can but when considering the fact that website attacks such as cross site scripting and cross site request forgery are typically the result of design, these flaws tend to be much harder to fix than bugs found in software code.  Observers suggest that the vulnerabilities are not going to disappear entirely but do stress that browser developers can do more to enhance security.

In general, development teams only have a little time to address browser vulnerabilities before the hacker community is able to discover them.  Developers are being encouraged to practice browser security just like those who make other software products.  This is extremely important as the major web browsers literally have hundred of millions of users.  One solid approach towards website security is standardized authentication, something that would need to be addressed by system administrators.  Another recommendation is for browser developers to design products that alert users when they are being directed to intranet zones such as localhost or RFC1918 as attackers are increasingly targeting internal devices.  Security firms have also predicted that the manner in which data is handled when requests are made between a browser and website should play a critical part in future designs.

Staggering Numbers on Website Vulnerabilities

According to a recent study by Scott + Scott, a law firm based in Connecticut, 85% of businesses in the U.S. have experienced some sort of data breach, a factor that places the personal information of millions of consumers at great risk.  To no surprise, most of the companies involved in the study were exploited over the web with the leading cause being insecure servers and applications.  These vulnerabilities are what result in the lost of bank account numbers, credit card details and Social Security numbers while putting billions of dollars in jeopardy. Although there are various security mechanisms available to limit these exploits, the typical components such as firewalls and intrusions detection systems simply aren’t enough.

Intruders are just as aware of the critical information that can be accessed through an application as the webmaster.  In many cases, their entrance and overall success is attributed to numerous factors.  Those conscious of the roaming threats typically monitor network perimeters with firewalls and intrusion detection systems.  However, these components actually encourage exploits as they are required to keep ports 80 and 443 open to support SSL and protect online transactions.  To an intruder, these ports are open doors that enable website attacks in a number of different ways.  Most network firewalls are configured to secure only the internal perimeter, leaving the company open to a wide range of attacks.  And while both intrusion prevention and detection systems are somewhat more effective, they don’t perform complete analysis of a packet’s contents.  Without an additional layer of security, a knowledgeable intruder can penetrate a web application with relative ease.

An organization dedicated to improving the security of web-based applications, the OWASP (Open Web Application Security Project) recently composed a list of 10 of the most common vulnerabilities in today’s applications.  The potential threats are associated with the following:

1. Cross site scripting

2. Server-side scripting errors

3. The execution of malicious code

4. Insecure direct object reference

5. Cross site request forgery

6. Improper error handling and data leakage

7. Penetration of authentication and session management

8. Vulnerable cryptographic storage

9. Insecure web communications

10. Failure to restrict write permissions and URL access

The WASC Web Application Security Consortium have validated the OWASP’s top five application vulnerabilities with the testing of 31,373 sites.  Additionally, the Gartner Group reports that 97% of more than 300 sites studied in a survey were found to be vulnerable to application attacks.  The same study also revealed that 75% of today’s web attacks occur at the application level.

The numbers indicate that most E-commerce sites are easy targets for an array of attacks.  While proper coding is the key to prevention, one of the best methods of defense against application exploits is a web application scanner.   This type of mechanism protects both applications and servers from intruders by crawling through the site and analyzing every piece of content.  Such products conduct various tests along with simulated application attacks throughout the scanning process.  If genuine security holes are detected, reports are made and detail the severity of each vulnerability.  Security experts recommend using a scanner that offers a technical, in depth explanation of each vulnerability detected along with appropriate suggestions for eradicating them.

The Vulnerability of PHP

The PHP programming language has become one of the most efficient web development tools available.  First introduced in 1994, this language has literally been used to create millions of websites throughout the world.  While PHP offers the ability to create dynamic web pages and can be configured to run in a secure fashion, many of today’s servers are configured in a manner that leaves these scripts quite vulnerable.

PHP Functionality

Most servers running PHP are configured with the mod_php module as well as the Apache server application itself.  This enables HTTP requests to be sent through the PHP engine, which is responsible for processing the request before data is sent to the client.  Although this configuration offers a simple and effective way to get PHP functioning, it also raises security issues, especially in a shared or virtual private server hosting environment.

With the Masses Comes Massive Risk

Rarely will you find a company hosting one site on a single server.  Because many personal and small business sites only require a fraction of the server’s resources, web hosting providers generally host a number of sites on a single machine.  Though certainly more affordable than a dedicated server account, shared hosting offers numerous security risks.  Some of these vulnerabilities exist because an HTTP server such as Microsoft IIS or Apache require a significant amount of control over the content served to the client.  So if your website applications give visitors the ability to upload files or input data into web forms, you are essentially at risk as the HTTP server needs to have permission to write to a particular directory.

In the average shared hosting environment, the HTTP server is granted write permission to directories, giving anyone using PHP scripts on the server to write to directories as well.  This is an issue that puts shared hosting customers at the mercy of their neighbors.  Fortunately, there are a few preventive measures that can be taken to minimize these security risks, strategies that can be employed by both the server administrator and the end-user.

If you are hosting your site on a shared server configured with PHP, there are a few things that need to be done to remain isolated from common dangers.  One of the easiest ways to prevent the exploits in your applications is to perform a sanity check.  This simply means that if you require a user to enter alphanumeric characters, you need to make sure that is what you get instead of just letters or numbers.  Additionally, you should never allow direct SQL queries without validation first, which requires the proper configuration of your databases as well.  If your applications are not properly configured, you could easily be the victim of an SQL injection or similar exploits.

Allowing people to upload files to your site is risky, yet often necessary in some cases.  Since PHP allows you to obtain information on uploaded files before they are written to a final destination, you should take of advantage of this privilege and make sure everything is in order.  A common hacker exploit involves uploading malicious PHP scripts to gain access to sensitive files.  A simple way to validate file types is to ensure that they are what you anticipate.  For instance, if you only allow files that end in jpeg., anything else should strike you as suspicious.

All programming scripts have their vulnerabilities and PHP is one of the most widely exploited.  You can enjoy all this amazing development tool as to offer by understanding the permissions on the host server and designing your site with security in mind.