Having a successful online presence is hard enough. Throwing some website security-related terms into the mix makes it all the more difficult, especially if you’re not a technical person or computer security guru. Although some folks in IT intentionally make web vulnerabilities difficult to understand they don’t have to be. In fact, the essence of most web flaws is pretty simple to understand – they lead to things like the extraction of data, gaining unauthorized access and the installation of website malware typically for ill-gotten gains.
Many, arguably most, web vulnerabilities are brought about by software developers failing to check and filter what the user submits as input. The big flaws are typically in the way that URLs/addresses and web form data are captured from the user. A vulnerable web system will accept just about any user input – both good and bad – and pass it back to the server or database for processing.
For starters, cross-site scripting (a.k.a. XSS) can enable an attacker to use a hacked website for harvesting sensitive information such as login credentials or browser cookies as well as installing malware on systems via specially crafted URLs sent in email links, posted on message boards etc., that unsuspecting users click intentionally or inadvertently.
There’s also SQL injection (pronounced “sequel injection”) – this web vulnerability allows an attacker to inject SQL commands into a vulnerable web page and extract data directly from back-end databases using both automated tools and manual techniques.
Another big area of web vulnerabilities involves how user login sessions are managed. If not properly coded, web browser sessions can be manipulated to allow an attacker to escalate his privileges in the web site/application or to use the inherent trust of the web session to manipulate the system and perform system functions on behalf of the user – something called cross-site request forgery, or CSRF.
It may seem like a no-brainer, but another major flaw affecting web sites and applications is the use of weak passwords. That is, the system itself allows users to take the path of least resistance and create easy-to-guess passwords that are subsequently cracked. It’s the ultimately security flaw and usually the simplest to find and exploit.
The Golden Rule of web security is for the system to have a set of ground rules and only accept what’s expected from the user, without ever reflecting any errors or unexpected data back to the user. The question for you is: do you know where your web system’s vulnerabilities are? Odds are, no one else is checking for these flaws so it’s ultimately up to you.