Here are three common ways hackers try to break into websites, along with practical steps you can take today to stop them. And although each of three methods sounds techie, we’ll explain in plain English what’s happening on each occasion and give you the appropriate information to pass to your web developer to help mitigate the risk.
1) SQL Injection
SQL injection describes how a hacker exploits a website by submitting malicious code to the website's database. This type of attack is particularly dangerous as it can potentially allow an attacker to gain access to sensitive data stored in that database, such as passwords, personally-identifiable information and credit card numbers.
SQL injection occurs when a hacker enters code into a web form, such as an enquiry form. If the website fails to process that code safely, the hacker can cause that code to be executed directly against the site's database which, in effect, gives them direct access to the database and the data it contains.
To prevent an SQL injection, website owners must ensure that their websites validate every bit of data entered by a user to ensure that only valid and expected data is accepted and passed on to the database. Just because your enquiry form asks a user to enter an email address, it doesn't follow that they will! They can enter anything they like, including malicious code that they have created to cause harm to your site.
Encourage your developer to adopt an approach where they distrust all data received from a website visitor until it's been validated. If a piece of data fails your validation, it should be discarded.
How do I know if my website could be affected by an SQL Injection?
If your website contains an enquiry form, a search box, an online chat tool or any opportunity for a visitor to enter data, then it could potentially be vulnerable to an SQL Injection.
Key technical information for your developer
Developers should avoid constructing dynamic SQL queries using user input as this could be exploited by an attacker. Instead, queries should use parameterised SQL statements when interacting with the database, which replace user input with placeholders. This mitigates any malicious attempts to exploit a vulnerability.
Equally, the website’s database user should be allocated the minimum privileges required to complete a task and that user should not have access to irrelevant database tables or be granted privileges beyond that the website requires in order to function.
The database itself should be configured to accept incoming connections from the web server only.
No business owner or website manager wants to get caught up in the complexities of hacking and online security. But turning a blind eye to the risks could be catastrophic to your business!
2) Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is similar to SQL injection except this time, the attacker adds malicious code to a website itself rather than its database. As before, XSS attacks exploit websites that allow users to input data – such as posting comments against a blog article or leaving a review against a product.
If that data is not properly validated, the hacker’s malicious code can end up being part of the website, which may give the attacker the means to steal sensitive information, redirect visitors to an unsafe website or even execute code on the user’s computer.
How do I know if my website could be affected by Cross-Site Scripting?
If your website has any type of user-generated content, such as comments on a blog or product reviews, then it could potentially be vulnerable to a Cross-Site Scripting attack.
Key technical information for your developer
To prevent a Cross-Site Scripting attack, you should ensure that any user-generated content is validated and sanitised before it’s displayed on the site.
This means that any malicious code or characters should be removed from the user’s input before it is processed and displayed.
Additionally, the website’s firewall should be configured to monitor, filter and report on incoming requests that contain suspicious code.
And the server’s operating system and web server software should be patched regularly with the latest security updates and fixes.
3) Broken authentication and session management
This is a common way for a hacker to exploit a website.
Broken authentication refers to weaknesses in a login process that are exploited to gain unauthorised access to a system. These weaknesses are often a result of easy-to-guess passwords, a lack of multi-factor authentication or no password expiration policies.
Session hijacking occurs when a malicious user intercepts and takes over a valid user's session. Once the session is hijacked, the attacker can view that user's confidential data and continue to use the website as if they were the user themselves.
How do I know if my website is vulnerable to broken authentication and session hijacking?
There are a few warning signs that indicate your website may be vulnerable and these signs include:
- Unexpected session IDs being created
- Unusual account logins from unknown locations
- Unauthorised changes to user accounts
- Suspicious activity on administrative accounts
How can you prevent broken authentication or session hijacking issues?
The best prevention is to use secure authentication methods and implement strong password policies. Here are a few steps you can take:
- Use multi-factor authentication to add an extra layer of security to your website
- Enable password expiration policies and require users to reset their passwords periodically
- Educate users on best practices for protecting their accounts
Key technical information for your developer
Similarly, some of the more technical steps you can take to protect your site from unauthorised access include:
- Monitoring your website for any suspicious activity, such as repeated attempts to complete the login page
- Implementing robust session timeouts, so users are not left logged in for extended periods
- Using encrypted communication protocols such as HTTPS for all web pages
- Keeping the web server's software patched and up-to-date
No business owner or website manager wants to get caught up in the complexities of hacking and online security.
But turning a blind eye to the risks could be catastrophic to your business as the consequences of an online security breach are very unpleasant! Unlawful access to your website’s data could put your users at personal and financial risk, to say nothing of the negative public relations that would follow.
A sensible, risk-averse business owner would be careful to use high-quality website hosting and work with a web development agency with a track record of building successful, secure online systems. After all, any additional costs incurred by using quality suppliers is repaid many times over when compared with the price of getting hacked!
