Although such acts of vandalism as defacing corporate websites are still commonplace, nowadays, hackers prefer gaining access to the sensitive data residing on the database server because of the immense pay-offs in selling the data.
The costs of not giving due attention to your web security are extensive with a possible financial burden that may result in:
- Loss of customer confidence, trust and reputation with the consequent harm to brand equity and possible effects on revenue and profitability
- Negative impact on revenues and profits arising from any falsified transactions and from employee downtime
- Website downtime which is in effect the closure of one of the most important sales channels for an e-business
- The expenditure involved in repairing the damage done and building contingency plans for securing compromised websites and web applications
- Legal battles and related implications from Web application attacks and lax security measures including fines and damages to be paid to victims.
Web Security Weaknesses
Hackers will attempt at gaining access to your database server through two main routes including:
- Web and database servers.
- Web applications.
Proof of such exploits are readily available on the Internet.
Web Security Scanning
Web security, therefore, contains two important components: web and database server security, and web application security. Addressing web application security is as critical as addressing server security.
Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your web and databases servers (generally over port 80).
Scanning the security of these web assets on the network for possible vulnerabilities is paramount. For example, all modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be accessed through specific ports and anyone can attempt direct connections to the databases effectively bypassing the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability. Other weaknesses relate to the actual database application itself and the use of weak or default passwords by administrators. Vendors patch their products regularly; however, hackers always find new ways of attack.
In addition, 75% of cyber attacks aim at finding weaknesses within web applications rather than the servers themselves. Most hackers will launch web application attacks on port 80 which has to remain open to allow regular operation of the business. In addition, web applications are more open to uncovered vulnerabilities since these are generally custom-built and, therefore, pass through a lesser degree of testing than off-the-shelf software.
Some hackers, for example, may maliciously inject code within vulnerable web applications to trick users and redirect them towards phishing sites. This technique is called Cross-Site Scripting (XSS) and may be used even though the web and database servers contain no vulnerability themselves.
Hence, any web security audit must answer the questions “which elements of our network infrastructure we thought are secure are open to hack attacks?”, “which parts of a website we thought are secure are open to hack attacks?”, and “what data can we throw at an application to cause it to perform something it shouldn’t do?”
Acunetix Web Vulnerability Scanner and Web Security
Acunetix Web Vulnerability Scanner ensures web site security by automatically checking for SQL Injection, Cross Site Scripting, and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Download the evaluation version today!
Scanning for XSS vulnerabilities with Acunetix WVS Free Edition!
To check whether your website has cross site scripting vulnerabilities, download the Trial Edition. This version will scan any website / web application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site).