10 easy steps for a DIY security review of your website
Did you know that over half of all websites have a security vulnerability? With so many vulnerabilities out there, it’s important to do something about your website. You can’t just ignore the problem and hope everything will be okay.
In this blog post, we’ll show you how to perform a DIY web app security testing or security review for your website in 10 easy steps.
Ensure your header security is on point
Header security is one of the most effective tools for preventing attacks against the application layer in an effort to gain access to private user data, such as login credentials when they have been logged into a website session at some point during their visit.
In addition, many modern frameworks automatically include CSRF tokens within forms which also provide protection against “cross-site request forgery” attacks where unauthorized commands are executed via existing browser sessions without knowledge of this by the website user.
Ensure your input areas are protected
Input validation has been a standard practice for many years and still provides essential protection against injection attacks such as SQL, LDAP, XSS, etc.
These types of vulnerabilities can be exploited by an attacker to take control over any web application that accepts malicious content with little to no effort at all.
Injection vulnerability examples include cross-site scripting (XSS), reflected file download/path traversal (OPF/LFD), and remote command execution (RCE).
Ensure you use secure frameworks that provide native methods of protecting against these threats instead of having to implement custom code where possible!
Proactively protect your passwords
This is a classic and yet ignored even in 2021! The first step is to ensure you have a strong password policy, meaning users should only be allowed to create strong passwords consisting of special characters, alphanumerics, and a minimum length of at least 8 characters.
Secondly, securing passwords within a database securely becomes important. It’s best to use hashing with salts and a strong password policy to protect against brute force attacks, dictionary attacks, and rainbow table attacks.
Prevent the use of insecure session IDs informs
Ensure that your website’s login form does not allow for a single-use token to be transmitted via GET or POST parameters, such as those generated by many browser plugins that authenticate users when they click links within emails received from websites.
This is extremely dangerous because other sites can implement these tokens into their website/application and hijack sessions without knowledge. You should generate them client-side using JavaScript instead!
Ensure all site content is served over SSL
If you’re transferring sensitive information between your server and partners, it makes sense to ensure this data is sent securely to prevent anyone who may intercept it while in transit from accessing it and potentially exploiting the information.
This is especially important when transmitting payment card data such as bank account numbers, credit card details, and other sensitive personal/business information across the internet!
Implement Content Security Policy (CSP)
You can configure a website’s CSP using the header field – for example, to prevent inline scripts and style from running within your application you would create an appropriate policy such as “default-src ‘self'” which only allows JavaScript resources to be loaded via the same origin. This means only content loaded from the same website as the application will be allowed to run.
Ensure all input is validated
This step applies whether you’re writing code or for a security audit! Ensure you are performing data validation within user queries and web requests such as GET, POST, PUT, and DELETE, which can allow an attacker to launch attacks by simply modifying parameters to exploit existing vulnerabilities in your application’s logic.
You should also sanitize any output containing HTML/JavaScript tags before it gets returned back on screen so that if an attacker manages to inject JavaScript into this process they cannot hijack sessions via XSS or execute arbitrary commands using RCE without knowledge of the application’s owner.
Prevent XSS attacks by validating input data
Cross-site scripting is one of the most dangerous types of vulnerabilities on websites today because it enables attackers to inject client-side scripts into web pages without user knowledge or permission.
It presents itself in many forms but usually occurs when users attempt to inject untrusted data into JavaScript contexts within the HTML response, which is then reflected back on the screen in an unsafe way.
Secure cookie handling
Cookies can contain some important information about authenticated users, so it’s useful for attackers to be able to access them using various attacks. Ensure that cookies are transmitted via GET or POST parameters are properly encoded and flagged as “secure” so that it is only sent to the server over an SSL connection. All sensitive data should always be encrypted at rest (i.e., within a database) and in transit between partners/servers!
Reduce the exposure of your APIs
If you have an application API, then it means that other developers can use some form of functionality to build their own applications using your code. To ensure this doesn’t present a security risk, consider restricting what information gets exposed and encrypting all sensitive data before transmitting over network connections so only authenticated and authorized users can access it, and your API is secured.
[Bonus] Ensure XSRF protection
Cross-Site Request Forgery (CSRF) attacks are similar in nature to XSS, except instead of injecting JavaScript into web pages designed for user consumption, they attempt to force specific actions on websites via GET or POST requests without knowledge/consent from end-users.
Example of CSRF attack: A malicious user builds a website containing a form that POSTs an action to the target site, such as transferring money between accounts. The end-user either has no idea this is happening or may be tricked into clicking on a malicious link to transfer funds without realizing it. CSRF is, therefore, an attack that tricks users into making requests on behalf of the website owner without their knowledge.
To implement XSRF protection on your website you should ensure that any GET requests which update state always contain a CSRF token as part of the query string.
[Bonus] Protect against clickjacking
This attack takes advantage of users being tricked into clicking on something other than what they think, usually via some form of transparent element sitting on top of another, leading them to believe it is part of your website’s content.
You can prevent this from occurring by setting X-Frame-Options in your header response so only certain types/sizes of framing within web pages will be allowed (e.g. “deny all” or “allow sameorigin”).
Why DIY website security is important
Security should be a top priority when you are building your website. Over 50 security vulnerabilities have been found in just one day, and automated scanners can’t detect all of them. You’ll want to ensure that you’re using external pentesting services on an ongoing basis to ensure the safety of your visitors’ data and any sensitive information they share with you through their contact form or newsletter subscriptions.
Contact us if you’re looking for a reliable partner to ensure your website is secure.
Photo Credit: Envato Elements
