what you need to know about website security
Post on 15-Jul-2015
Embed Size (px)
Website SecurityWhat you need to know.
Example of hacked website
If your website is run on Joomla, Drupal, CiviCRM then your site is at risk of being hacked.Joomla, Drupal and CiviCRM developers often release security patches, which fix security vulnerabilities with their software.Your website (code) needs to be patched regularly with security updates (just like your computer) to keep it secure, in combination with other strategies.
How did this happen?
Allows an attacker to:Execute commands as another user.Access data contrary to the specified access restrictions for that data.Pose as another entity.Conduct a denial of service.Conduct information gathering activities.Hide activities. The google search shows an example of an attacker hiding links in your site that redirect your users to their website!Includes a capability that behaves as expected, but can be easily compromised.
What is a software vulnerability?
3. What Actually ExecutesSELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = ''
2. Login CodeThe developers code to check logins:$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");
1. User Logs InUser enters OR 1=1 # as username.
4. The Result?# is a comment in MySQL, and 1=1 will always be TRUE. Thus, the login code returns all users, and logs in the first user in the database (typically an admin user).
A software vulnerability example
Source: Australian Government Department of Defence 2013
The Open Web Application Security Project - owasp.org. Community dedicated to enabling organisations to develop, purchase and maintain applications that can be trusted.
1. Injection - i.e. The login example2. Cross Site Scripting3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross-site Request Forgery6. Security Misconfiguration - i.e. Ensure users have appropriate access.7. Insecure Cryptographic Storage - i.e. Dont store sensitive information
without appropriate encryption.8. Failure to restrict URLs - i.e. Ensure sensitive information requires login. 9. Insufficient Transport Layer Protection (No SSL when required) i.e. Use an SSL
certificate when appropriate.10. Unvalidated Redirects and Forwards i.e. When you host with us, we install
tools that proactively protect your site for added security.
OWASP Top 10 Risks
1. Use maintained website platforms and modules:Use well known software and modules that dont feature regularly on the Joomla and Drupal vulnerable extensions list.
2. Dont use Joomla 1.5 or Drupal 6!If you have a Joomla v1.5 site or Drupal v6 site contact Energetica about upgrading your site. There are many known security vulnerabilities with these versions and we recommend not using them in production.
3. Apply Security Updates when released. We can proactively update core Drupal, CiviCRM and Joomla versions when security updates are released as part of our support packages.
4. Limit administration privileges. Perform regular audits of users and their access.
5. Patch the OS. We routinely patch our web hosting servers with the latest security updates.
Prevention better than cure
Go to www.unmaskparasites.com and enter your website. See the links shown are ones you expect or know!
The example shows Energeticas website. All of the links returned are valid for us.
If you are unsure of the results of your scan, discuss them with us.
If your site has been hacked, Energetica can remove the hack and help prevent it from happening again.
Free Quick Check