Skip to main content

How to secure our website in securetecho

9 Security steps to secure your website from hackers describe in securetecho

website security

 we may not think your site has anything worth being hacked for, but websites are Broken in to all the time. Most website security is not to steal your data or miss with your website layout, instead tries to use your server as an email relay for spam, or to set up an only lasting for a short time  web server, Usually to serve files of an illegal nature. Other very common ways to (treat or use in a very mean, unfair way) damaged/agreed machines include using your servers as part of a (group of computers controlled by criminals, without the computer owners' knowledge), or to mine for Bitcoins.You could even be hit by ransomware.Hacking is regularly (sang, danced, acted, etc., in front of people) by automated scripts written to scrub/inspect the internet in an attempt to fully use (for profit) known website security issues in software. Here are our top nine tips to help keep you and your site safe online. we will describe this in seccuretecho

01. keep software up to date

It may seem obviousbut securing/making sure of you keep all software up to date is very 
important in keeping your site secureThis applies to both the server operating system and 
any software you may be running on your website such as a CMS or forumWhen website 
security holes are found in software,  computer criminals  are quick to attempt to (treat or 
use in a very mean, unfair way ) themIf you are using a managed hosting solution then
 you don't need to worry so much about applying security updates for the operating 
system as the hosting company should take care of thisIf you are using third-party
software on your website such as a CMS or forumyou should secure/make sure of 
you are quick toapply any security patchesMost vendors have a mailing list or RSS 
feed explaning / describing any website security issuesWordPress, Dark shadow co and
 many other CMSe tell you of available system updates when you log inMany developers use
 tools like Composernpmor Ruby Gems to manage their software dependencies,and 
security weakness appearing in a package you depend on but aren't paying any attention to is 
one of the easiest ways to get caught outSecure/make sure of you keep your 
dependencies up to dateand use tools like Gemnasium to get automatic notices/communications when weakness (that could be used to hurt someone or something) is announced in one of your parts.

02. Watch out for SQL injection

website security
SQL injection attacks are when an attacker uses a web form field or URL limit or guidlines to gain
access to or control /move around your (computer file full of information When you use standard 
Transact SQL it is easy to (without knowing) insert sneaky and dishonest (boldly independent)
code into your question that could be used to change tablesget information and delete data
You can easily prevent this by always using limit/ guidelineised questions, most web languages
have this feature and it is easy to put into use.

03. Protect against XSS attacks

Cross-site scripting (XSSattacks inject evil and cruel JavaScript into your pageswhich then runsin the 
browsers of your usersand can change page contentor steal information to send back to the attackerFor exampleif you show comments on a page without validationthen an attacker might submit 
comments containing script tags and JavaScriptwhich could run in every other user's browser and steal their login cookieallowing the attack to take control of the account of every user who viewed the 
commentYou need to make sure that users cannot inject active JavaScript content into your pages
This is a particular concern in modern web computer programswhere pages are now built mostly from 
user contentand which in many cases create HTML that's then also understood by front-end (solid 
basic structures on which bigger things can be built)like Skinny (so you can see bones)/having angles 
and EmberThese(solid basic structures on which bigger things can be built) provide many XSS
protections, but mixing server and client creating and displaying creates new and more complicated 
attack avenues toonot only is injecting JavaScript into the HTML effectivebut you can also inject
content that will run code by inserting Skinny (so you can see bones)/having angles orders, or using
ember helpers
The key here is to focus on how your user-created content could escape the bounds you expectand be understood  by the browser as something other that what you meant. This is just like defending against SQL injection. When energetically/changing quickly as needed creating HTML , use functions that clearly and definitely make the changes you're looking for (e.g. use element.set Attribute and element.text Content, which will be automatically escaped by the browserrather than setting element.innerHTML by 
and), or use functions in your templating tool that automatically do appropriate escaping, rather than joining together strings or settingraw HTML content
Another powerful tool in the XSS defender's toolbox is Content Security Policy (CSP). CSP is a header your server can return which tells the browser to limit how and what JavaScript is ran/run in the page, for example to prevent running of any scripts not hosted on your domain, prevent inline JavaScript, or disable eval(). Mozilla has an excellent guide with some example setups. This makes it harder for an attacker's scripts to work, even if they can get them into your page.

04. Beware of error messages

Be careful with how much information you give away in your error messages. Provide only(almost nothing/very little) errors to your users, to secure/make sure of they don't leak secrets present on your server (e.g. API keys or (computer file full of information) passwords). Don't provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep described/explained errors in your server logs, and show users only the information they need.

05. Validate on both sides

Validation should always be done both on the browser and server side. The browser can catch simple failures like required fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to evil and cruel code or scripting code being inserted into the (computer file full of information) or could cause undesirable results in your website.

06. Check your passwords

Everyone knows they should use complex passwords, but that doesn't mean they always do. It isextremely important to use strong passwords to your server and website admin area, but equallyalso important to insist on good password practices for your users to protect the security of theiraccounts. 
As much as users may not like it, enforcing password needed things such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run. 
Passwords should always be stored as secret/unreadable values, hopefully using a one way hashing set of computer instructions such as SHA. Using this method means when you are checking the identity of users you are only ever comparing (turned into secret code) values. For extra website security it is a good idea to salt the passwords, using a new salt per password. 
In the event of someone hacking in and stealing your passwords, using hashed passwords couldhelp damage limitation, as (changing secret codes into readable messages) them is not possible. The best someone can do is a dictionary attack or extreme force attack, (almost completely/basically) guessing every combination until it finds a match. When using saltedpasswords, the process of cracking a large number of passwords is even slower as every guesshas to be hashed separately for every salt + password which is (math-based/computer-based)very expensive. 
Thankfully, many CMSes provide user management out of the box with a lot of these website security features built in, although some setup or extra modules might be needed/demanded to use salted passwords (pre Drupal 7) or to set the minimum password strength. If you are using.NET then it's worth using membership providers as they are very configurable, provide inbuilt website security and include ready made controls for login and password reset.

07. Avoid file uploads

Allowing users to upload files to your website can be a big website security risk, even if it's simplyto change their symbolic picture. The risk is that any file uploaded, however innocent it may look, could contain a script that when ran/run on your server, completely opens up your website. 
If you have a file upload form then you need to treat all files with great (feeling that something is wrong or bad, but without proof). If you are allowing users to upload images, you cannot depend on the file extension or the mime type to (check for truth/prove true) that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not foolproof. Most images formats allow storing a comment section that could contain PHP code that could be ran/run by the server. 

 So what can you do to prevent this? (in the end) you want to stop users from being able to run any file they upload. By default web servers won't attempt to run files with image extensions, but don't rely only on checking the file extension as a file with the name image.jpg.php has been known to get through. 

 Some options are to rename the file on upload to secure/make sure of the correct file extension, or to change the file permissions, for example, chmod 0666 so it can't be ran/run. If using *nix, you could create b.ht access file (see below) that will only allow access to set files preventing the double extension attack talked about/said earlier.
deny from all
    <Files ~ "^\w+\.(gif|jpe?g|png)$">
    order deny,allow
    allow from all
    </Files>
 
 
(in the end), the recommended solution is to prevent direct access to uploaded files completely. This way, any files uploaded to your website are stored in a folder outside of the webroot or inthe (computer file full of information) as a blob. If your files are not directly (easy to get to, use, or understand) you will need to create a script to fetch the files from the private folder (or an HTTPhandler in .NET) and deliver them to the browser. Image tags support an src attribute that is nota direct URL to an image, so your src attribute can point to your file delivery script providing youset the correct content type in the HTTP header. For example :

 <img src="/imageDelivery.php?id=1234" /> <?php // imageDelivery.php // Fetch image filename from database based on $_GET["id"] ... // Deliver image to browser Header('Content-Type: image/gif'); readfile('images/'.$fileName); ?>


 Most hosting providers deal with the on your own server then there are few things you will want to Most hosting providers deal with the server setup for you, but if you are hosting your website on your own server then there are few things you will want to check. 
Secure/make sure of you have a firewall setup, and are blocking all non extremely important ports. If possible setting up a DMZ ((took/taken away the military ability of) Zone) only allowing access to port 80 and 443 from the outside world. Although this might not be possible if you don't have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH or RDP. 
If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH. 
If possible have your (computer file full of information) running on a different server to that of your web server. Doing this means the (computer file full of information) server cannot be accessed directly from the outside world, only your web server can access it, (making something as small as possible/treating something important as unimportant) the risk of your data being exposed. 

Finally, don't forget about restricting physical access to your server.

08. Use HTTPS Security

secure website
HTTPS is a rules of conduct used to provide security over the Internet. HTTPS (promises that something will definitely happen or that something will definitely work as described) that users are talking to the server they expect, and that nobody else can stop/interfere with (and look at) or change the content they're seeing traveling. 

 If you have anything that your users might want private, it's highly a good idea to use only HTTPS to deliver it. That (definitely/as one would expect) means credit card and login pages (and the URLs they submit to) but usually far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged-in user makes, and is used to (verify someone's identity) those requests. An attacker stealing this would be able to perfectly pretend to be a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your whole site. 

 That's no longer as tricky or expensive as it once was. Let's (turn into secret code) provides totally free and automated certificates, which you'll need to enable HTTPS, and there are existing community tools available for a wide range of common (raised, flat supporting surfaces) and(solid basic structures on which bigger things can be built) to automatically set this up for you. Especially/famously Google have 
announced that they will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too. Insecure HTTP is on its way out, and now's the time to upgrade. Already using HTTPS 
everywhere? Go further and look at setting up HTTP Strict Transport Security (HSTS), an easy header you can add to your server responses to prevent insecure HTTP for your whole domain.

09. Get website security tools from Securetecho

Once you think you have done all you can then it's time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short. 
There are many commercial and free products to help you with this. They work on an almost the same basis to scripts computer criminals in that they test all know (bold or daring acts) and attempt to agree (after everyone gives something up) your site using some of the previous talked about/said methods such as SQL Injection. 

 Some free tools that are worth looking at: 

 Netsparker (Free community edition and trial version available). Good for testing SQL injection and XSS 

 OpenVAS Claims to be the most advanced open source security scanner. Good for testing known weaknesses (that could be used to hurt something or someone), now scans over 25,000. But it can be very hard to setup and needs/demands a OpenVAS server to be installed which only runson *nix. OpenVAS is fork of a Nessus before it became a closed-source commercial product. 

 SecurityHeaders.io (free online check). A tool to quickly report which security headers talked about/said above (such as CSP and HSTS) a domain has enabled and correctly configured. 

 Xenotix XSS Fully use (for profit) (solid basic structure on which bigger things can be built) A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site's inputs are capable of being hurt in Chrome, Firefox and IE. 
The results from automated tests can be difficult and scary, as they present a large number of possible problems. The important thing is to focus on the very important issues first. Each issue reported (usually/ in a common and regular way) comes with a good explanation of the possible weakness (that could be used to hurt someone or something). You will probably find that some of the medium/low issues aren't a concern for your site. 

 There are some further steps you can take to manually try to agree (after everyone gives something up) your site by changing POST/GET values. A (finding and correcting mistakes in)substitute can help 
you here as it allows you to stop/interfere with (and look at) the values of an HTTP request between
your browser and the server. A popular freeware computer program called Fiddler is a good starting point.So what should you be trying to change on the request? If you have pages which should only be 
visible to a logged in user then try changing URL limits/guidelines such as user animal desires, or cookie values in an attempt to view details of another user. Another area worth testing are forms, changing the 
POST values to attempt to submit code to (do/complete)  XSS or uploading as erver side script.
Labels:

Comments

Post a Comment

Popular posts from this blog

how to crack wifi password using fern wifi cracker in securetecho

HOW TO HACK wifi USING fern wifi cracker Step 1 –  Go to Backtrack - Exploitation Tools - Wireless Exploitation Tools - WLAN Exploitation - Fern Wi-Fi Cracker.   Now following application will be seen.                                     Step 2 - Now select the interface as wlan0 and Refresh it.   Now click on “OK” after the box appears.    Step 3 –    Now click on “Scan for Access points”    Step 4 –  After that it will show list of Detected signals    Step 5 –     Now click on WEP box                                    Following screen will show like this.    Step 6 –  Now choose the Attack option as you wish to do like,  A. Arp Reques...
Post a Comment
Read more

Ethical hacking with full description in securetecho

                           ETHICAL HACKING Ethical hacking  refers to the act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious  hackers .  Ethical hacking  is also known as penetration testing. An  ethical  hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit. TOOLS FOR ETHICAL HACKING:               NMAP. Nmap stands for Network Mapper. ...     Metasploit. Metasploit is one of the most powerful exploit tools. ...     Burp Suit. Burp Suite is a popular platform that is widely used for performing security            testing ...
1 comment
Read more

Best Places to Visit in Ludhiana – Top Attractions for Every Traveler

Introduction 1. Punjab Agricultural University (PAU) Nestled in the heart of Ludhiana, Punjab Agricultural University (PAU) is a renowned educational institution with sprawling green lawns and beautiful gardens. The campus is a peaceful retreat and perfect for a relaxing walk. Don’t forget to visit the Rural Museum located within PAU, showcasing Punjab’s rural heritage and agricultural history. Keywords: Punjab Agricultural University, Ludhiana attractions, educational institutions in Ludhiana. 2. Gurudwara Shri Alamgir Sahib One of the most significant religious sites in Ludhiana is Gurudwara Shri Alamgir Sahib . Known for its historical importance, this Gurudwara offers a peaceful and spiritual experience. It's a must-visit for anyone seeking tranquility and insight into the Sikh heritage. Keywords: Gurudwara Shri Alamgir Sahib, religious places in Ludhiana, Sikh heritage. 3. Rural Museum The Rural Museum at PAU is a unique destination where you can explore the traditional r...
Post a Comment
Read more