DIY Website Security

10 Easy Steps for a DIY Security Review of Your Website

Did you know that over half of all websites have a security vulnerability? With so many vulnerabilities out there, it’s important to do something about your website. You can’t just ignore the problem and hope that everything will be okay. 

In this blog post, we’ll show you how to perform a DIY web app security testing or security review for your website in 10 easy steps.

Ensure your header security is on-point: 

Header security is one of the most effective tools for preventing attacks against the application layer in an effort to gain access to private user data such as login credentials when they have been logged into a website session at some point during their visit. 

In addition, many modern frameworks automatically include CSRF tokens within forms which also provide protection against “cross-site request forgery” attacks where unauthorized commands are executed via existing browser sessions without knowledge of this by the website user. 

Ensure your input areas are protected: 

Input validation has been a standard practice for many years and still provides essential protection against injection attacks such as SQL, LDAP, XSS, etc. 

These types of vulnerabilities can be exploited by an attacker to take control over any web application that accepts malicious content with little to no effort at all. 

Injection vulnerability examples include cross-site scripting (XSS), reflected file download/path traversal (OPF/LFD), and remote command execution (RCE). 

Ensure you use secure frameworks which provide native methods of protecting against these threats instead of having to implement custom code where possible!

Proactively protect your passwords:

This is a classic and yet ignored even in 2021! The first step is to ensure you have a strong password policy – meaning users should only be allowed to create strong passwords consisting of special characters, alphanumerics, and with a minimum length of at least 8 characters. 

Secondly, securing passwords within a database securely becomes important. It’s best to use hashing with salts and a strong password policy in order to protect against brute force attacks, dictionary attacks, and rainbow table attacks.

Prevent the use of insecure session IDs informs: 

Ensure that your website’s login form does not allow for a single-use token to be transmitted via GET or POST parameters, such as those generated by many browser plugins which perform the role of authenticating users when they click on links within emails received from websites. 

This is extremely dangerous because other sites can also implement these tokens into their own website/application and hijack sessions without knowledge. You should generate them client-side using JavaScript instead!

Ensure all site content is served over SSL: 

If you’re transferring sensitive information between your server and clients it makes sense to ensure this data is sent securely in order to prevent anyone who may intercept it while in transit from being able to access it and potentially exploit the information. 

This is especially important when transmitting payment card data such as bank account numbers, credit card details and other sensitive personal/business information across the internet!

Implement Content Security Policy (CSP): 

You can configure a website’s CSP using the header field – for example, to prevent inline scripts and style from running within your application you would create an appropriate policy such as “default-src ‘self'” which only allows JavaScript resources to be loaded via the same origin. This means only content loaded from the same website as the application will be allowed to run.

Ensure all input is validated: 

This step applies whether you’re writing code or for a security audit! Ensure that you are performing data validation within user queries and web requests such as GET, POST, PUT and DELETE which can allow an attacker to launch attacks by simply modifying parameters in order to exploit existing vulnerabilities in your application’s logic.

You should also sanitize any output containing HTML/JavaScript tags before it gets returned back on screen so that if an attacker manages to inject JavaScript into this process they cannot hijack sessions via XSS or execute arbitrary commands using RCE without knowledge of the application’s owner.

Prevent XSS attacks by validating input data: 

Cross-site scripting is one of the most dangerous types of vulnerabilities on websites today because it enables attackers to inject client-side scripts into web pages without user knowledge or permission. 

It presents itself in many forms but usually takes place when users attempt to inject untrusted data into JavaScript contexts within the HTML response which is then reflected back on the screen in an unsafe way.

Secure cookie handling: 

Cookies can contain some important information about authenticated users so it’s useful for attackers to be able to access them using various attacks. Ensure that when cookies are transmitted via GET or POST parameters they are properly encoded and also flagged as “secure” so it is only sent to the server over an SSL connection. As ever, all sensitive data should always be encrypted both at rest (i.e. within a database) and in transit between clients/servers!

Reduce the exposure of your APIs: 

If you have an application API then it means that there is some form of functionality that other developers can use to build their own applications using your code. In order to ensure this doesn’t present a security risk, consider restricting what information gets exposed and also encrypting all sensitive data before transmitting over network connections so only users who are authenticated and authorized will be able to access it and your API is secured.

[Bonus] Ensure XSRF protection: 

Cross-Site Request Forgery (CSRF) attacks are similar in nature to XSS except instead of trying to inject JavaScript into web pages designed for user consumption they attempt to force specific actions on websites via GET or POST requests without knowledge/consent from end-users. 

Example of CSRF attack: Malicious user builds a website containing a form which POSTs an action to the target site – for example, transferring money between accounts. The end-user either has no idea this is happening or may be tricked into clicking on a malicious link in order to transfer funds without realizing it. CSRF is therefore an attack that tricks users into making requests on behalf of the website owner without their knowledge. 

To implement XSRF protection on your website you should ensure that any GET requests which update state always contain a CSRF token as part of the query string.

[Bonus] Protect against Clickjacking: 

This attack takes advantage of users being tricked into clicking on something else other than what they think, usually via some form of transparent element sitting on top of another and leading them to believe it is part of your website’s content. 

You can prevent this from occurring by setting X-Frame-Options in your header response so only certain types/sizes of framing within web pages will be allowed (eg “deny all” or “allow sameorigin”).

Summing Up

Security should be a top priority when you are building your website. There have been over 50 security vulnerabilities found in just one day, and automated scanners can’t detect all of them. You’ll want to make sure that you’re using external pentesting services on an ongoing basis to ensure the safety of your visitors’ data as well as any sensitive information they share with you through their contact form or newsletter subscriptions.