In a recent survey, 97% of the 300 e-commerce websites tested had such serious flaws that anyone could easily steal confidential information or deface the site.
Anyone in the industry will tell you that there is no such thing as a "secure" web site, however most of the sites that we’ve tested on behalf of customers could be hacked by Daffy Duck!
Gone are the days of boring single-page static web sites – complete with lurid backdrop and a multitude of crazy fonts. A growing number of small companies have invested heavily in websites with at least some dynamic content, perhaps a secure area for clients, an application, or maybe it’s e-commerce enabled so that customers from anywhere in the world can now sample the delights of their particular widget.
Suddenly, even the most junior web designers are required to understand about databases, secure transactions, form validation, scripting, and application development using some bizarre (even proprietary) technology. The word "junior" is significant – the economy within IT has been tough enough to ensure that the most qualified and experienced developers have been abandoned in favour of the less experienced (and cheaper) alternatives. And herein lies the problem. No-one seems to have cottoned on to the fact that the Internet is a dangerous place full of nasty people! In fact the Internet is the most demanding place you can publish any form of application.
If you process confidential information on your site, you will be breaking Data Protection rules if it isn’t secure. That aside, Data Protection will be the least of your worries when your customers find out! Even it the data isn’t confidential – then it’s probably business critical in some other way – meaning that your brand and / or your trade marks could be in serious trouble.
This is our own list of top ten faults that we regularly find on business websites. This list is not exhaustive, and is in no particular order. If you’re a web developer take note!
When sending data from web based forms, especially to databases, few web designers provide consistent checking ("parsing") of the data to ensure that it won’t have an undesirable effect. Effects include crashing the server, bypassing all login security, revealing confidential data, allowing the creation or destruction of information and/or web pages, etc.
The first job of the "cracker" is to discover the underlying technology – e.g. type of database. Sending "rubbish" to an insecure script usually reveals a complex database driver error which means nothing to the man in the street, but tells the cracker just about everything they need to know.
Very few web designers (come on, we’ve all done this…) develop anything from scratch. It’s much quicker to simply cut and paste from an example on the Internet – et voila – instant success. The trouble is, these standard scripts – which could be anything from a secure login facility to a fully fledged e-commerce system – may not be secure, and will often use ridiculously obvious table and column names (e.g. "username", "password", etc).
Every file on a web server is a potential security hole. Often, any testing that is done is focused on ensuring the correct operation of the script, not security. If security is tested, seemingly unimportant scripts are often ignored to save cost and time – yet these scripts may be a useful backdoor into the "secure" database.
The list here is endless. Lack of any regular data backups, lack of denial of service (DoS) protection, irregular patching of servers, uncontrolled third party access to servers, poor physical and environmental security, and so on. Read the small print carefully when you buy any form of web site hosting, and remember caveat emptor.
Web servers are typically "low grade" storage and should NEVER hold confidential or otherwise business critical data.
Most web server software includes a plethora of standard scripts and tools designed to allow easy management of your web site. These are often the "tools of choice" for many an opportunistic cracker… Also, default directory security is rarely suitable for Internet use "out of the box".
Most database software comes with yet more useful tools to assist in the creation and management of databases in the form of stored procedures. Tools like xp_cmdshell (which gives DOS shell access under SQL) built into SQL Server make hacking a breeze.
If and when someone does break in, it might be nice to actually find out about it before all your customers ring up and complain. Few sites have the facility to accurately log all transactions, and most aren’t routinely checked until AFTER a breach has occurred.
The Computer Misuse Act 1990 is not particularly effective when it comes to websites. You are skating on thin ice if you fail to ensure that the cracker is knowingly committing a criminal offence by attempting to break in to your site.
(c) 2004, Bawden Quinn Associates Ltd