10 Tips to Prevent a Web App Attack
Increasingly, the internet is becoming a battleground, with cyber criminals continuously on the lookout for new and innovative ways to exploit weaknesses in your security. In order to protect your web application from cyber-attacks, you need to make sure you’re doing everything in your power to keep the hackers at bay. With that in mind, we’ve compiled a list of useful tips to help you combat some of the most common threats affecting web developers today.
Keep Your Software up to Date
It’s vital to keep software regularly updated. Cyber criminals are always looking for ways to infiltrate your systems, and they’ll be quick to exploit any gaps in your software. Ensure the server operating system is updated with all the latest patches and definitions, as well as any additional software you might be running on your site, such as a content management system or forum.
Protect Against Cross-Site Scripting
Cross-Site Scripting (XSS) is one of the most common computer security vulnerabilities, with many web applications falling prey to this type of attack. Using XSS, hackers are able to inject malicious JavaScript into your webpages, allowing them to alter content and steal your users’ data. To prevent this from happening, install an intelligent Web Application Firewall (WAF) to work alongside your existing behavioural firewall. This should block any potential attacks.
Watch out for SQL Injection Attacks
SQL injections can be extremely damaging. By exploiting weaknesses in your web application, an attacker could gain complete control over your database, changing tables, corrupting data and harvesting privileged information. The good news is that SQL injection is easily preventable. Always use parameterised queries rather than standard Transact SQL, perform regular security checks to identify vulnerabilities and install a Web Application Firewall to help detect and block attacks.
Beware of Error Messages
While any developer will tell you that clear error messages are essential to a successful website, they’re also vulnerable to manipulation by sophisticated hackers. A recent investigation into an attack on a US medical firm revealed that hackers were able to exploit data derived from error handling issues to expose sensitive information, tapping into database usernames, software stack trace, source code line numbers and server file system paths. The key is not to give too much information away; provide concise error messages to your users and store detailed errors in your server logs.
Use Complex Passwords
Be sure to use complex passwords for your server and website admin areas and enforce strict password protocols on your users. Strong password requirements are essential if you want to protect the integrity of your users’ accounts, so insist on a minimum of eight characters, including at least one number or symbol and one uppercase letter. Always encrypt stored passwords, ideally using a one-way hashing algorithm such as SHA. In the event of a security breach, this will make it virtually impossible for hackers to decrypt your users’ credentials.
Protect Yourself Against DDoS Attacks
A distributed denial-of-service (DDoS) attack is one of the most common and potentially damaging weapons in a hacker’s armoury. By overwhelming a device or a network with traffic, a DDoS attack can disrupt normal service and effectively disable your website. Fortunately, it’s relatively simple to protect against this type of attack. Your best defence is a reliable DDoS protection tool, and there are plenty out there to choose from.
Use HTTPS
HTTPS is a protocol used to transfer information securely over a computer network. It encrypts and scrambles data, so unauthorised users are unable to intercept and decipher privileged information. Increasingly, websites and web applications are adopting HTTPS in favour of HTTP, and particularly if you’re dealing with sensitive data such as customer credit card details, HTTPS is definitely the way to go.
Avoid File Uploads
Allowing users to upload files to your website could pose a big security risk. Any file uploaded to your site, even something as innocent as a profile pic, could contain a rogue script, which, when executed on your server, could leave your entire website at the mercy of the attacker. In order to prevent cyber criminals uploading malicious content, make sure any files uploaded from the Internet use only secure transport methods, such as SFTP or SSH and, if possible, run your database on a separate server so it can’t be accessed from the outside world.
Prevent Cookie Poisoning
Most web applications use cookies to save a users’ info, such as login details, passwords and email addresses. Cookie poisoning is where a hacker modifies the valid cookie in order to gain unauthorised information about one of your customers, using it to access their account, open new accounts in their name or simply steal their identity. To protect your users’ data, clear stored cookies on a regular basis and perform regular virus and malware scans to keep your browser free from malicious scripts.
Utilise Website Security Tools
Once you’re satisfied you’ve done everything you can to protect your users’ data and shield your website from cyber-attacks, it’s time to put your security systems to the test. Web application penetration testing uses simulated hacking techniques to identify any vulnerabilities in your network, pinpointing weaknesses and allowing you to close any gaps in your security before they can be exploited by cyber criminals. Web application penetration testing will:
• Systematically assess your web application to gather information about the website, its features and functionality.
• Identify critical weaknesses by examining the source code, database and back-end network.
• Recommend important fixes to reduce the threat of cyber-attacks.
For more information about how to prevent web application attacks and safeguard your customers’ sensitive data, get in touch today and speak to one of our cyber security experts.