HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How to Start a Forum, Part B

edited January 2014 in Tutorials

Because this is very long it is split into more parts.

So you now have a forum and it looks good and feels good. You have filled it with content and now you must make sure it is safe to use and visit.

Each day, Google identifies 9,500 malware-infected websites, about 4,000 of which are legitimate sites compromised by hackers. About half of these victims learn they've been hacked when they see the same browser and search-engine danger warnings their customers see, a sign they've been blacklisted, according to a survey by StopBadware, a nonprofit anti-malware organization in Cambridge, Mass. Some 45 percent are notified of the problem by one of their technology providers , a much better scenario.

Small businesses are especially vulnerable to hacking because they usually lack the technology expertise and site security that larger companies have. They also suffer more if their lack of expertise slows repairs and their ability to get back to work. Business owners can lose significant online traffic and sales if their site lands on blacklists operated by Google and other search engines.

An Austin, Texas-based startup site was down for a week in early June after hackers broke in and pointed all its links to sites selling Viagra. Exactly how hackers got in wasn't clear, so they tackled every entry point. In addition to cleaning all links, they erased and rebuilt its server, upgraded its content management software, and revamped how employees log in and change site content.

Recovery required the full-time work of three people and significant help from the company's hosting service. While it achieved a clean bill of health from Google's Webmaster Tools service more quickly, Web searches triggered a scary warning that "This site may be compromised" for more than three weeks, casting a shadow over the new business. When contacted about the issue, Google said residual "spammy content" in search results caused the warning, but that it would remove it because the spam itself was gone.

If this happens to you, take your site offline or put it in maintenance mode asap. The only ones you need to contact are Google or Bing . Avoid Scam ratings sites that pretend their ratings can affect you. They only sell trust seals that don't mean anything and it's a scam to make website owners fix their ratings by buying a trust badge or seal. These ratings websites are useless. The people who rate do not even visit the sites they rate, they use an automated mass rating script.
So don't take their ratings serious.

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software.

Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.

If you are using a managed hosting solution then you don't need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco and many other CMSes notify you of available system updates when you log in.

SQL injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries, most web languages have this feature and it is easy to implement.

Consider this query:

"SELECT * FROM table WHERE column = '" + parameter + "';"

If an attacker changed the URL parameter to pass in ' or '1'='1 this will cause the query to look like this:

"SELECT * FROM table WHERE column = '' OR '1'='1';"

Since '1' is equal to '1' this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.

XSS

Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.

Error messages

Be careful with how much information you give away in your error messages. For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field. Keep your error messages vague.

Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.

Thankfully, many CMSes provide user management out of the box with a lot of these website security features built in, although some configuration or extra modules might be required to use salted passwords (pre Drupal 7) or to set the minimum password strength. If you are using .NET then it's worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

Continued in Part C

Tagged:

Comments

Sign In or Register to comment.