Information security
Website security audit (website vulnerability testing) is a number of procedures aimed at ensuring the web resource stable operation, data security and risk reduction.
It’s no secret that the economic situation now dictates new rules, for competition as well. If earlier the “technology war”, cyberespionage and destructive actions were done mostly by large corporations or entire States, now these methods are quite successfully used in small and medium-sized businesses.
Let’s leave the offline companies’ websites aside for now, and talk today about commercial websites, whose major income comes from Internet activities.
Website security audit is a range of operations on detection of errors in the site code and server software, which can be used by intruders to attack and hack the site.
Motivation used by the attackers can be different — it can be a bragging, finding benefits for themselves personally or performing the order.
From the latest “high profile” examples — the freelance exchange FL.ru hacking habrahabr.ru/post/251487
Here, the resource is clearly caused reputational damage, users loyalty is reduced. It may be difficult to attract new users: www.google.ru/search?ie=UTF-8&hl=ru&q=FL.ru
GOOGLE search on request FL.RU gives as the second result a topic on habr about the users base leakage.
What would FL.RU exchange security audit give — password matching for accounts of resource administrators would help to identify these accounts. Additional guidance and rules on its compliance would help to avoid such an unfortunate oversight. The lack of restrictions on access to critical functionality (user accounts) from an untrusted IP address only aggravated the situation.
Reputational risks from the company’s website hacking will naturally affect the profitability of the company. But there is also a direct theft threat for data, which is of value to the company. The company’s website related to online activities — online store, e-exchange, etc – is the main tool for profit producing and it often contains customers database, which is more valuable if the service involves long – term working with the client, repeat purchasing and so on.
Also, the payment information manipulation, fraudulent transactions in systems of funds input/output or in payment systems can cause great damage to the company.
Wedsite attackers can be divided into two types
1. We take everything that is not tied down.
These kinds of attackers try getting access to a large number of sites, using primitive techniques, “mess with logs”. Typically, these types of intruders scan the site(s) with popular vulnerability scanners or search for vulnerable CMS for a specific exploit. They may be interested in both the users base and the banal iframe on the so-called exploit-pack.
the search for associates to commit an offense under section 273 of the Russian Federation Сriminal Сode
Held on time web applications security audit will help to identify vulnerable components and site problem areas. Recommendations will help to prepare for hacker attacks repelling.
2. Attacking specific target.
This kind of attackers are usually motivated to obtain certain data or destroy it:
ads on hacking forums
In this case, the attacker won’t stop with passive methods – most likely he will attack the site until he gets the desired result, using all possible combinations of attack vectors.
- A comprehensive security audit can significantly improve website security. It usually includes the following actions:
- Searching for vulnerabilities of server components;
- Searching for vulnerabilities of server web environment;
- Checking for remote execution of arbitrary code;
- Checking for code injection;
- Attempts to bypass the authentication system of a web resource;
- Checking web resource for “XSS” / “CSRF” vulnerabilities;
- Attempts to intercept privileged accounts (or sessions of such accounts);
- Attempts to exploit Remote File Inclusion / Local File Inclusion;
- Searching for components with known vulnerabilities;
- Checking for redirection to other sites and open redirects;
- Scanning of directories and files using brute force and “google hack”;
- Analysis of search forms, registration forms, authorization forms, etc.;
- Resource checking on the possibility of confidential and secret information open access;
- Race condition attacks;
- Implementation of XML entities;
- Passwords matching
Website security audit is a proactive measure that allows to get an adequate assessment of the company’s resource security, full information about found vulnerabilities, possible attack scenarios and recommendations for their elimination. This is, in fact, not an event, but a continuous process to ensure the safety of the company’s website business processes, to preserve business reputation, economic growth and business development.
Do not wait until your site is attacked by intruders — order a website security audit from professionals.