What type of web site are you creating ? Is it a series of static pages, or a catalog, or e-commerce site ?
Hopefully your developer/programmer is aware of best practices with regards to site development. If you have dynamic content, you'll want to design to avoid session hijacking and SQL injection.
Session hijacking involves those sites that maintain your 'place' within the site as you move forward and back, from link to link. It can be to help you list those items you've selected to view, or to maintain a shopping cart as you go back to continue browsing. The old insecure method was to issue a session id to each visitor sequentially. I could presumably hijack another session by editing the session # in my own URL when I visit the site, typically altering the # by a small number to grab another active session, possibly also hijacking a shopping cart with end user info.
SQL injection involves changing the URL after something like "asp?xxx" to show a database structure. If a hacker sees a column named 'creditcard' or 'ssn' then obviously a ripe target has been found.
The scope of treating/preventing SQL injection and session hijacking goes beyond the space available here, I recommend further research.
Also, you want to make sure to use SSL (https) with a valid certificate from a trusted certificate authority for encrypted sessions to protect customer information from (wireless) sniffers in transit.
You should also, especially in the case of Windows IIS boxes, put the webroot on a separate volume from the operating system. This will help prevent recursive attempts to run explorer.exe and cmd.exe ( ala Code Red and Nimda ). Remove WebDAV and FrontPage extensions if not absolutely needed to reduce the vulnerable footprint they add.
Run a system integrity monitor to checksum and keep tabs on your published page code ( html, asp, aspx, htm, php, etc ) so you'll know if/when a hacker has modified your page for malicious intent.
also run a good antivirus program on your web server, to prevent infection and takeover from any other systems that may become infected on the subnet.
Likewise, proper firewall rules should only allow port 80 ( http ) and port 443 ( https ) from the internet to your web server, to reduce the attack surface available to hackers and worms.
Some will think I'm a broken record, but the best security is layered security.
Regards
Raheel
Hopefully your developer/programmer is aware of best practices with regards to site development. If you have dynamic content, you'll want to design to avoid session hijacking and SQL injection.
Session hijacking involves those sites that maintain your 'place' within the site as you move forward and back, from link to link. It can be to help you list those items you've selected to view, or to maintain a shopping cart as you go back to continue browsing. The old insecure method was to issue a session id to each visitor sequentially. I could presumably hijack another session by editing the session # in my own URL when I visit the site, typically altering the # by a small number to grab another active session, possibly also hijacking a shopping cart with end user info.
SQL injection involves changing the URL after something like "asp?xxx" to show a database structure. If a hacker sees a column named 'creditcard' or 'ssn' then obviously a ripe target has been found.
The scope of treating/preventing SQL injection and session hijacking goes beyond the space available here, I recommend further research.
Also, you want to make sure to use SSL (https) with a valid certificate from a trusted certificate authority for encrypted sessions to protect customer information from (wireless) sniffers in transit.
You should also, especially in the case of Windows IIS boxes, put the webroot on a separate volume from the operating system. This will help prevent recursive attempts to run explorer.exe and cmd.exe ( ala Code Red and Nimda ). Remove WebDAV and FrontPage extensions if not absolutely needed to reduce the vulnerable footprint they add.
Run a system integrity monitor to checksum and keep tabs on your published page code ( html, asp, aspx, htm, php, etc ) so you'll know if/when a hacker has modified your page for malicious intent.
also run a good antivirus program on your web server, to prevent infection and takeover from any other systems that may become infected on the subnet.
Likewise, proper firewall rules should only allow port 80 ( http ) and port 443 ( https ) from the internet to your web server, to reduce the attack surface available to hackers and worms.
Some will think I'm a broken record, but the best security is layered security.
Regards
Raheel
No comments:
Post a Comment