Security of Websites - Term Paper Example

Introduction The extensive growth and use of the internet over the years have created and led to websites and web applications facing more threats and vulnerabilities each day. This has thus demonstrates the importance and emphasis developers and website administrators have put on web security. Web security does not only entail securing the web application only but also securing the web server and the web users as well. This article aims at explicating the various forms of threats, attacks and vulnerabilities that web applications, servers and users face. It will also show various methods of howto prevent, minimize and deal with security loopholes that attackers exploit. The importance of ensuring security of websites, web servers and the users cannot be underestimated (Braithwaite, 2002). Discussion There are various vulnerabilities that web applications and websites face. These threats range from security loopholes that are created during development, at the servers and at the user interfaces. This discussion will mostly focus on the security of website application developed using PHP language and are SQL database driven. PHP functions Security Developing website applications using PHP is relatively easy since its syntax and semantics can easily and quickly be grasped. The buck though doesn’t stop here. It has the capability of performing diverse functions when its seamlessly and flawlessly working with HTML. The fact that it is open source and also works well with other open source tools and languages such as the MySQL database ad the Apache Server makes the most preferred web development languages for developers and very much targeted by hackers and malicious web users. Many developers, especially beginners ignore or forget the aspect of security (Shaw, 2001). It is worth noting here that even advanced developers sometimes write code that is vulnerable to attacks.PHP can work even if there are security loopholes in the coding. These loopholes are not hard to locate in PHP and are what malicious web users look for. Although PHP offers some great features that can be used to minimize security vulnerabilities, it’s up to the developer to be able to utilize them (Braithwaite, 2002). Securing PHP applications entails limiting coding errors as much as possible. Common types of PHP security loopholes are: Error Reporting This is a PHP tool that allows diagnosis of errors and quick and easier fixing. It is also potential security vulnerability when no properly used such as when errors are publicly visible to users on-screen. It reveals a lot of information such as security loopholes in the code. Display_errors should be turned off or be appended a ‘0’ value so that errors cannot be viewed on-screen by users. If the Display_error is turned on or appended the ‘1’ value, errors will be displayed onscreen to users thus posing as a security threat that hackers can exploit. You can however opt to report errors by enabling log_errors. This is done by turning on log_errors and showing the location of the log using error_log. Register_Globals Writing PHP applications is made convenient and simpler by the use of Register_Globals. This although poses a great threat in terms of security. Register_Globals should therefore be always turned off. If turned on, users who are neither authenticated nor verified can inject variables in the application thus gaining administrative access to the application. A good example is where a user may append the value ‘?admin =1’ at the end of a page url and gain access to the sites administrative areas that might require a secure password. e.g. if(isset($_POST[‘pwd’]) && $_POST[‘pwd’] == “wxyz”) { $admin = TRUE; } If Register_Global is turned off, this kind of forced access cannot occur. Therefore, it is advisable to consider using predefined PHP variables such as $_POST, $_ENV, $_COOKIE, $_SERVER or $_GET to ensure tight security. Cross-Site Scripting (XSS) Hackers use this method to collect website’s user data. They do this by using malicious JavaScript code or markup. This either redirects the browser or the user, or tricks users to present their login credentials which instead of giving them access to that particular site, maliciously takes their personal logging information. Cross-site scripting can be dealt with by disabling JavaScript or images on the browsers (Shaw, 2001). Given the trends in website development today, this technique is obsolete since most sites created nowadays are either extensively JavaScript or images. A better and more ideal way of dealing with XSS threats is for PHP developers to consider using much less vulnerable techniques such as using the $_POST request to submit form data instead of using the more vulnerable $_GET request. Basically, ensuring less XSS vulnerabilities entail controlling what the user input into the website by making such inputs are filtered first to ensure no malicious code is submitted (Braithwaite, 2002). Consider the code snippet below: The code above works very well in making that javascript and html codes are not embedded in the user input. htmlentities(), a PHP function is very important in protecting against Cross-site scripting. Remote File Inclusion (RFI) This is the most damaging vulnerability to PHP security since many PHP developers are not aware of it. It basically as the name suggests, involves an attacker injecting a PHP application with a malicious code from a remote location with the aim of either accessing the server’s root folder or spamming the server. This is very risky because unauthorized access by any malicious user to a server can mean abuse and distraction of information stored in databases etc. Making sure that the allow_url_fopen is on and the allow_url_include directive is set to off will protect website or web application against RFI attacks adequately (Shaw, 2001). External file Access One characteristic of server-side scripting languages such as PHP is the hiding of the source code from the users. At times, the server or PHP module might fail thus displaying the code to the user in an unparsed plain text which is security vulnerability. When the source code is visible to the users, malicious user may be able to find security loopholes in the application much easily. This failure of the server or PHP module may also display scripts that contain configuration files to the users in an unparsed and plain manner. Even though some files belonging to subfolders in the root folder may not be displayed in plain to the users, malicious users can access them by entering their names into the url. This problem can normally be addressed by employing the use of frameworks that utilize the Model-View-Controller (MVC) pattern which ensures that the code that controls what is visible to the users is in a different location from the code that guides the websites functionality and that that is responsible for querying the database (Shaw, 2001). Session security Many PHP developers nowadays employ the use of sessions and cookies to track site user’s activities. Even though the use of sessions and cookies cannot be a breach to the application’s security, they can be used by hackers to compromise the site user’s accounts. PHP will most often than not store a cookie on the user’s personal computer when sessions are used. This cookie known as PHPSESSIDwhich can be changed by the developer holds a session identifier value which is always linked with some data in the server. Sessions can be as a matter of fact be transferred through the url. Session ID’s can be stolen or intercepted. The commonly known way of intercepting or stealing cookies is through the use of Cross-site scripting. When stolen cookies are used, the concept is referred to as session fixation. Stolen session ID’s can be used to log malicious user’s in and is especially very risky when the stolen ID has administrative access. If a website or web application is hosted on a shared hosting, then the issues of stolen cookies can also arise just as with XSS since session data are by default stored in the /temp directory which is accessible and writable by all others whose website are hosted in the shared account. This problem can be addressed using several techniques one of which is to frequently change the session ID. If this is done, then the intercepted or stolen session ID is likely to be invalid when used. PHP has a function known as session_regenerate_id() which when called automatically regenerates the session ID and informs the client through the set-cookie, a HTTP response header. In PHP 5.2+, a flag called httponlyis used to deny JavaScript access to the cookie. This is done through the use of the directive session.cookiehttponlyin the php.ini or using the function, session_set_cookie_params(). As far as shared hosting is concerned, preventing cookie from being stolen or intercepted requires one to session data in another location. This can be achieved by setting another path using the directive session.save_pathor store them in a database (Braithwaite, 2002). Cross-site request forgery PHP security vulnerability is Cross-site request forgery (CSRF) where users are tricked into invoking request they haven’t made. For example, in a web application, it is possible to delete user using /user/delete/adinowhich will delete the user, ‘adino’. An attacker might embed a code such as on the website which will trick users into requesting that page without their knowledge. It’s worth noting that, normally only administrators should be invoking such calls. PHP web application’s security can therefore be ensured by vigilante site monitoring and accurate coding. There are although other very good tools that can assist in easily and quickly identifying potential threats in PHP code such as: phpSecInfothat reports security related information and at the same time suggests ways of improving on the errors PHP Security Scannerwhich is used for scanning for vulnerabilities in PHP code. Spike PHP Security Audit Toolwhich helps in carrying out static analysis of PHP code. This will help search PHP code for any security loopholes so that developers can be able to correct the at the development stage. SQL Security SQL is a structured querying language normally used to query databases. As we had mentioned early, ensuring web security does also entail securing database operations. Web developers both advanced and beginners are unaware of how poorly written SQL statements can pose as a security threat. Attackers can tamper with SQL queries thus altering access controls which in turn allows bypass of standard authorization and authentication checks. They are many threats and vulnerabilities that databases are exposed to such as: SQL Injection This is where attackers target website security by injecting SQL statements in a web form. Predefined SQL commands are thus executed. This can lead to attackers gaining access to sensitive database data such as passwords, perform administrative database functions such as shutting down the database, being able to modify data in the database and/or be able to recover deleted or cleared data to the database (Feiler, 1999). These attacks enables attackers to also cause issues such as changing balances, allowing complete disclosure of system data or avoiding transactions. Due to the use of old functional interfaces, PHP is commonly associated with SQL injection. One point worth noting though is that, the attackers skills determines how severe SQL injection can be (Shaw, 2001). Main consequences of SQL injection include; erosion of confidentiality of SQL database data, authentication loopholes caused by poorly constructed SQL commands, loss of data integrity if SQL injection vulnerability leads to change of database data, and authorization information can also be altered if such vulnerabilities are exploited. SQL Injection- based attacks are a major issue as far as database-driven web applications are concerned since it is very easy to exploit and thus the need for prevention. There are several ways of dealing with the SQL Injection menace such as: using parameterized stored procedures, parameterized queries using typed, bound parameters and use of escape characters. Parameterized queries with bound parameters keep data and queries separated. It achieves this through the use of placeholders referred to as “bound” parameters, e.g. "select * from users where username=$username and password=$password" This therefore requires the developer to set the values for the two variables $password and $username. Another effective mechanism of mitigating SQL Injections is the use of parameterized stored procedures. This can be used in conjunction with parameterized bound query method to prevent je likelihood of SQL Injection happening. If dynamic code execution is however used, SQL Injection can still occur. Using escape characters to escape table names is yet another very useful technique that can be employed to mitigate vulnerabilities that can cause SQL Injection to occur. For example; $users = mysql_real_escape_string($users) There are other traditional ways of preventing SQL injection such as handling them as input validation problems. This way you either identify and escape a list of malicious values or only accept data from list safe values. This can be achieved by enforcing very strict form input validation rules (Shaw, 2001). Securing user information when developing a website is another very important security concern E-Business Security The fact that e-business are internet-based application, provides ease of access by very many users regardless of their location. The internet being unmanaged and unregulated poses wide and great threat to and risks to an e-business application. Therefore, e-business is prone to various attacks by hackers such as: Accessing of sensitive data and/or copying, destroying or altering e.g. catalogues, price lists etc. Corrupting critical business data using viruses Perform DoS, denial of service attacks thus making it impossible for authorized users to access the site and may sometimes force the site to stop operating completely. Accessing crucial financial information concerning he customers or the business with an aim of defrauding either the customers or the business. Changing the websites in ways that end up damaging the sites image and/or causing redirects of customers to other sites. Such malicious attacks can have very devastating effect an e-business including losses due to bad and unwelcomed publicity, loss of finances either due to litigation or fraud. Lastly, loss in market share as a result of decrease in customer confidence caused by the DoS attack and sometimes the business could face criminal prosecution either due to breach of Computer Misuse Act or the Data Protection Act or any other regulation as far as e-business is concerned (Feiler, 1999). It is therefore very important that owners and developers of e-business websites understand the risks and consequences associated with breach in security of an e-business/e-commerce site. These threats are always either accidental or malicious. It is therefore advisable that procedures are put in place that can guard the website against all these types of vulnerabilities. Malicious threat can range from attempts by hackers to alter, read or destroy sensitive data, malicious users posing as legitimate users with the sole aim of copying the website idea or even authorized users exposed to attacks such malicious download of mails or files that can harm the website. Potential threats to critical and sensitive information should be looked in three different ways including: the potential sources of threats, the expertise level of the potential hackers and what are the tools and facilities available to such hackers (Braithwaite, 2002). In order to minimize these threats and attacks associated with an e-business, it is advisable that a risk assessment is carried out. This assessment should aim at defining information access requirements for the business such access rules for different user groups. Several control measures can also be introduced to reduce security risks on e-business systems and should not be too strict and restrictive. These controls may include: User authentication techniques which can be used to identify and verify the credentials of anyone trying to gain access to the e-business website. Access controls that restricts different levels of user to various level of information and also ensures that they only access authorized data. Intrusion detection techniques that can be used to identify any malicious attempts being made to try and access the e-business system. It can generate alerts such as emails whenever a suspect attempt is detected. Website User Interface Design Web User Interface design is another very essential aspect of delivering a successful and user friendly web application. This entails allowing the website users have easy access to the site and be able to complete tasks and goals without distractions which in the end results in reduced costs such as support and training costs and very satisfied, happy and engaged users. To achieve this though, there are various fundamental aspects that both the site owner and developers need not to ignore. These concepts are discussed below. It is very important that the designers, developers and website owner know and understand their user’s goals and needs. To successfully implement a web interface that satisfy the users, designers and developers need to make the user’s needs and goals theirs. They should also research what kind of interface their potential users like and understand how they interact with such interfaces. This will enable you create web interface that not only appeal to the users, but also enable them meet their goals (Feiler, 1999). Users also interact with various interfaces other than yours and it is therefore advisable that you keep tabs latest patterns and styles. Through use of familiar User Interface patterns, your users will feel much at home. Another very important aspect to consider is consistency. Users need to know that once they know how to do something, they will always do it that way again and thus, consistency in the interface layout, design and language is very important. Consistency make your users more efficient by enabling them understand better how things work and will work. It is of stern importance that your interface communicates with your users through use of feedbacks. It should provide feedbacks whether or not the user’s actions are right or wrong. Your interface should also be designed in such a way that allows users to focus on the important things first. This reduces complexity. Users will always make mistakes no matter how simple the interface is and therefore, your interface should always tolerate user mistakes by allowing users to undo some of their actions. You should also consider providing concise and very clear labels for actions and ensure your messaging is simple. Last but not least, ensure that the interface you are developing is as simple as possible with only necessary elements used. Keep revisiting your user interface over and over to make it more satisfactory to the users and easy for the users to use in attaining their goals. Conclusion The criticality and the importance of web security cannot be ignored. The catastrophic effects it has if security loopholes and breaches are exploited by malicious users are grave and far reaching. It is therefore imperative that web developers keep in mind securing not only the code, but the database and the users as well. We have also seen the importance of designing clean, simple and satisfactory UI that do not get in the way of users but rather enable them attain their goals. Bibliography Braithwaite, Timothy. Securing e-business systems. (2002). Feiler, Jesse. Database Driven Websites.First Edition, (1999). Fugini, Grazia Maria. Database Security.ACM Press Books.First Edition.Addison-Wesley Professional Publishers, (November 30, 1994). Greenspan, Jay &Bulger, Brad.MySQL/PHP Database Applications. M&T Books, (2001). Hoekman, Robert. Designing the Obvious: A Common Sense Approach to Web Application Design. New Riders Publishers, (December, 2006). Litchfield, David, Anley, Chris, Heasman, John &Grindlay, Bill.The Database Hacker’s Handbook: Defending Database Servers. Wiley Publishers, (July 14, 2005). Shaw, Paul. E-Business Privacy and Trust. (2001). Silberschatz, Avi, Korth, F. Henry &Sudarshan, S. Database System Concepts.6th Edition.McGraw-Hill Publishers. Stephens, K. Ryan &Plew, R. Ronald. Database Design. First Edition, (2000) Read More