You are on page 1of 5

How to Secure your Website

By Slyr0x

Well, Protecting a website is possible only by continued efforts. . .It doesn't work like an AV system whereby you can just get to Run a Scan and get a virus removed. .At present, there are 1000 and 1 ways of protecting a Site buh i can help with tips that can help you lay the foundation for web security.

1.) Using Open Source Scripts - Well there are 2 schl of thots as regards this. .Some believe using Open Source Scripts is quite secured 'cos of the rich update & support users get & also cos dey are written by "supposed great coders" WHILE some believe its not the most secured to use 'cos an exploit once discovered can be very fatal as all websites using the script will be affected. Now my suggestion, if ure using an OSS, make sure you upgrade CONSTANTLY to newer versions of the scripts as soon as they are released.

2.) Set hard-to-guess default passwords - I cited an example here --> http://www.nairaland.com/nigeria/topic-435949.64.html#msg7582575 and used this "MYnam3155LYR0X15t4y1Nk3tu1l0veG4L54ndMYun1qu3NUMB3R157" . .you can even make use of this site to encrypt it. .Lets say ure using the "base 64 encode" encryption, that string above becomes "TVluYW0zMTU1TFlSMFgxNXQ0eTFOazN0dTFsMHZlRzRMNTRuZE1ZdW4xcXUzTlVNQjNSMTU3". . Now iTell you, NO BRUTEFORCER CAN GUESS THIS PWD. .

3.) Password Protect your Database -

$_Slyr0x = array(); $_Slyr0x[ 'db_server' ] = 'localhost'; $_Slyr0x[ 'db_database' ] = 'Slyr0xdb'; $_Slyr0x[ 'db_user' ] = 'Meeeee'; $_Slyr0x[ 'db_password' ] = 'PutPasswordHere'; Always pwd protect yo db and never leave it empty.

4.) Stop the unnecessary hints in Authentication Error messages - now this is a tricky part. .Have seen some scripts in the past whereby once a user tries logging in with a VALID username but incorrect pwd, such user gets the following msg "The UserId is correct but the password is incorrect". .Now why on earth will a coder wanna reveal that? This could facilitate brute forcing and allow the attacker to continue trying different passwords. .Best error message you can come up with is "Invalid User ID or Password. Pls try again".

5.) Always make use of a .htaccess file - .htaccess files are mostly used to specify the security restrictions for the directory it resides in. Lets say you don't want all the contents in your folder being displayed, you can use this Options -Indexes. Refer to --> http://www.wiscocomputing.com/articles/using_htaccess.htm

6.) Turn off Error Messages - Once ure running your script locally, you can always turn on error messages but once you get it uploaded on the Net, turn it off. Also another good trick is changing the way common errors are displayed. By these, am talking about 'em error 400, 401, 403, 404, 500 . Lets say i go poking at your Source Code (using View Source) and i notice a script being called from this directory (www.site.com/scripts/). . .On checking the /scripts/ directory, i get faced with the "Almighty" Error 403: Forbidden. .I most definitely know that directory exists buh am being stopped from viewing its contents but lets say iTry the same thing and iGet faced with "Sorry the page u're looking for doesn't exist. .Pls kindly retrace yo steps" and i then get shown the Site Map. .Ths sets in confusion as i knw a script is being called from the /scripts/ directory and the site is saying "Page doesn't exist".

7.) Always Mask Passwords being entered in the Password Box with asterisks (*).

8.) Always use the robots.txt file as these tells search engines what to/what not to index.

9.) Change File & Folder Permissions - Important folders like config, admin should take the 755 or 644. Read More here http://www.perlfect.com/articles/chmod.shtml AND http://www.webweaver.nu/html-tips/chmod.shtml

10.) Encrypt communication if the website handles important information using HTTPS.

11.) Anti SQL Injection Tips - I won't be going into much details here

CASE STUDY (PHP & MySql) i.) Always use prepared statements Lets say have your query this way, $query = "SELECT * FROM user WHERE uid ='$uid' AND pass = '$pwd'"; $result = mysql_query($query);

The input value for $uid is not well escaped and thereby leads to SQLi

Remedy 1.) Use prepared statements i.e. instead of using the mysql_query function, use extensions such as mysqli_prepare(), mysqli_stmt_bind_param() and mysqli_stmt_execute() refer to http://php.net/manual/en/mysqli.prepare.php

i.e. /* create a prepared statement */ $stmt = mysqli_prepare($conn, "SELECT * FROM user WHERE uid = ? AND pass = ?"); /* bind parameters to the SQL statement */ mysqli_stmt_bind_param($stmt, "ss", $uid, $pwd); /* execute query */ mysqli_stmt_execute($stmt);

2.) Use an escape function

$query = "SELECT * FROM user WHERE uid = '".mysql_real_escape_string ($uid)."' AND pass = '". mysql_real_escape_string($pwd)."'"; $result = mysql_query($query);

Pls refer to http://www.syngress.com/hacking-and-penetration-testing/SQL-Injection-Attacks-andDefense/ for more tips.

12.) Anti Cross-Site Scripting Tips (XSS) i.) Use an escape function i.e. the escapeHTML() function ii.) Set a character code in the Content-Type field of HTTP response header i.e. Content-Type: text/html; charset=UTF-8

Use this https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

There are 2 things i'll like you to have in mind 1.) There is no such thing as being perfect. .All the tips above does not make you HACKPROOF buh tightens yo security. 2.) The ONLY TIME you won't get hacked is when you yank yo website off the NET, go keep it in yo localhost, yank the Network Cables off yo PC and then go bury yo PC deep down in the Sahara. .With that, iDon't think anybody on this earth CAN hack yo site. ;D

Also you can contact me Slyrox2@gmail.com, if you need a Penetration Testing Service (i.e. someone to take a look at your site if vulnerabilities exists or not).

Slyr0x is a PHP/Python Programmer, Web Security Consultant/Analyst and Penetration Tester.

You might also like