Chapter Six

Introduction to Web Security

What is Web Security?
• Web security is also known as “Cybersecurity”.
• It basically means protecting a website or web application by
detecting, preventing and responding to cyber threats.
• Websites and web applications are just as prone to security breaches
as physical homes, stores, and government locations.
• Unfortunately, cybercrime happens every day, and great web
security measures are needed to protect websites and web
applications from becoming compromised.
• Website security is any action or application taken to ensure
website data is not exposed to cybercriminals or to prevent
exploitation of websites in any way.
Authentication Vs Authorization
• Authentication: Verifying that a person is (or at least appears to
be) a specific user, since he/she has correctly provided their
security credentials (password, answers to security questions,
fingerprint scan, etc.).
• Authorization: Confirming that a particular user has access to a
specific resource or is granted permission to perform a particular
action.
Stated another way, authentication is knowing who an entity is,
while authorization is knowing what a given entity can do.
Information Security CIA Triad
Confidentiality
• Confidentiality refers to access control of information to ensure that those who
should not have access are kept out. This can be done with passwords, usernames,
and other access control components.
Integrity
• Integrity ensures that the information end-users receive is accurate and unaltered by
anyone other than the site owner. This is often done with encryption, such as Secure
Socket Layer (SSL) certificates which ensure that data in transit is encrypted.
Availability
• Availability rounds out the triad and ensures information can be accessed when
needed. The most common threat to website availability is a Distributed Denial of
Service attack or DDoS attack.
Website security protects your website
from:
• DDoS attacks: These attacks can slow or crash your site entirely, making it
inaccessible to visitors.
• Malware: Short for “malicious software,” malware is a very common threat
used to steal sensitive customer data, distribute spam, allow cybercriminals to
access your site, and more.
• Blacklisting: Your site may be removed from search engine results and flagged
with a warning that turns visitors away if search engines find malware.
• Vulnerability exploits: Cybercriminals can access a site and data stored on it
by exploiting weak areas in a site, like an outdated plugin.
• Defacement: This attack replaces your website’s content with a
cybercriminal’s malicious content.
Website security protects your visitors
from:
• Stolen data: From email addresses to payment information, cybercriminals
frequently go after visitor or customer data stored on a site.
• Phishing schemes: Phishing doesn’t just happen in email – some attacks take
the form of web pages that look legitimate but are designed to trick the user
into providing sensitive information.
• Session hijacking: Some cyberattacks can take over a user’s session and force
them to take unwanted actions on a site.
• Malicious redirects: Certain attacks can redirect visitors from the site they
intended to visit to a malicious website.
• SEO Spam: Unusual links, pages, and comments can be put on a site to
confuse your visitors and drive traffic to malicious websites.
Who is responsible for web security?
• More persons than you probably thought!
Developer: Writing the application so it is secure
• Or at least: Can be configured/used in a secure way
Webserver operator: Don’t add insecurity through configuration
• Make sure web server, framework, and application are installed
securely
Network operator(s): Prevent attacks on infrastructure
• E.g. DNS attacks are very dangerous!
End user: Use up-to-date clients as well as common sense
Why do websites get hacked?
• There are over 1.94 billion websites online in 2019. This provides
an extensive playground for bad actors.
• There is often a misconception about why websites get hacked.
Owners and administrators often believe they won’t get hacked
because their sites are smaller, and therefore make less attractive
targets. Hackers may choose bigger sites if they want to steal
information or sabotage. For their other goals (which are more
common), any small site is valuable enough.
Goals of Hacking a website
• Economic gain (Exploiting site visitors)
• Stealing information stored on the server
• Tricking bots and crawlers (black-hat SEO)
• Abusing server resources
• Hacktivism
• Pure hooliganism and boredom
What are the vulnerabilities?
SQL Injection
• done by injecting malicious code in a vulnerable SQL query. They
rely on an attacker adding a specially crafted request within the
message sent by the website to the database.
• A successful attack will alter the database query in such a way
that it will return the information desired by the attacker, instead
of the information the website expected. SQL injections can even
modify or add malicious information to the database.
Cross Site Scripting (XSS)
• Cross-site scripting attacks consist of injecting malicious client-
side scripts into a website and using the website as a propagation
method.
• The danger behind XSS is that it allows an attacker to inject
content into a website and modify how it is displayed, forcing a
victim’s browser to execute the code provided by the attacker
when loading the page. If a logged in site administrator loads the
code, the script will be executed with their level of privilege,
which could potentially lead to site takeover.
Credential Brute Force Attacks
• Gaining access to a website’s admin area, control panel or even to
the SFTP server is one of the most common vectors used to
compromise websites. The process is very simple; the attackers
basically program a script to try multiple combinations of
usernames and passwords until it finds one that works.
• Once access is granted, attackers can launch a variety of
malicious activities, from spam campaigns to coin-miners and
credit card stealers.
Website Malware Infections & Attacks
Using some of the previous security issues as a means to gain
unauthorized access to a website, attackers can then:
 Inject SEO spam on the page
 Drop a backdoor to maintain access
 Collect visitor information or credit card data
 Run exploits on the server to escalate access level
 Use visitors’ computers to mine cryptocurrencies
 Store botnets command & control scripts
 Show unwanted ads, redirect visitors to scam sites
 Host malicious downloads
 Launch attacks against other sites
DoS/DDoS Attacks
• A Distributed Denial of Service (DDoS) attack is a non-intrusive
internet attack. It is made to take down the targeted website or
slow it down by flooding the network, server or application with
fake traffic.
• DDoS attacks are threats that website owners must familiarize
themselves with as they are a critical piece of the security
landscape. When a DDoS attack targets a vulnerable resource-
intensive endpoint, even a tiny amount of traffic is enough for the
attack to be successful.
How to secure your website?
• Update Everything
• Have strong password
• One-site = One-container
• Limit user access and permission
• Validate both side
• Use HTTPS
How to make your information on the web
more secure
• Use strong password
• Two factor authorization
• Always use secure networks
• Use more than one email address
• Be cautious about posting your email address online
Thank You!