Ghana website security
Security in the general sense is a very broad topic and how broad that could be to a large extend depend on the factors been analyzed. Internet security has been a concern since the invention of the world wide web. This is as a result of the fact that data/information exchange via the internet is insecure and can lead to attacks and hacks.Website security is also a broad field as security itself it, ranging from Network security to Web Server security,etc.
As a web development company, this topic is a major concern to us because it affects the core of our operation. In this blog post, we will look at the some of the techniques used to as a form of mitigation against website attacks and hacks. It is amazing how common some of the vulnerabilities are and yet a simple search with Google leads one to a whole lot of websites out there that are vulnerable. In our recent survey (with respect to where our company is based-Ghana), we found out that some of the most trafficked websites in Ghana were vulnerable. To our dismay, some of these sites have been around for years and never bothered to scan their website against website vulnerabilities. The result was directory listing and download of perhaps files that should not be made accessible, unauthorized login to protected or authenticated sections of the website, unauthorized access to administration panel and content management system part of the site, etc.
The bottom line of the security of website is the fact that your website accepts inputs and gives outputs to users. And it is never to be assumed that users give the right data. A rather safe assumption about security is that All input is tainted and should be filtered.
Data sources in PHP include those from $_SERVER, $_SESSION, $_POST, $_GET, $_FILES, $_COOKIES,etc.
We offer the following recommendations as per our findings and do not intend to make this blog post an exhaustive subject on mitigating attacks.
- 1. Directory and File protection
a. File and Folder permissions
Set your server permissions “755” for folders or “644” for files. If you are using any third party software “777” permission to install, remember to set them back the appropriate ones after install.b. Using htaccess
# Protect files and directories from prying eyes.
<FilesMatch “\.(application|system|model|view|controller)”>
Order allow,deny
</FilesMatch> - 2. User submitted inputs
All user submitted inputs should be filtered before they can be considered safe for further processing in the application.
a. Data – If the system accepts only alphabets it should be checked against such, if it accepts only numbers(e.g. IDs) it should be filtered as such. Several functions exist in the different server technologies to help with this daily programming tasks. In PHP, I can think of is_numeric, ctype_alpha for now.b. SQL Injection – A common attack we found was SQL Injection. The simple solution to start with is to escape values before been used. PHP offers mysql_real_string_escape () function for this but remember to filter your numeric data types too before been used. For example `id`=3 where id is number and therefore ‘3’ should be filtered as a number before been used.
- 3. Validation Usability costs, there’s nothing more responsive than validating on the client side but remember one can have Javascript turned off and as such you should also validate user submitted inputs too on the server side. If there are time/budget constrain on a project, then it better or preferred to do server side validation as against both.
- 4. User friendly URLS
Basically speaking doing a search with Google for the search term:”index.php?id=3″ to find sql injection vulnerable websites is a simple task, however if these urls have been user friendly such as ‘/3’ that would have helped mask them from showing up in the SERP. It was quiet interesting when we checked our server logs and observed the url hacks folks where trying to use to get into our system. Who said we want our CMS to be public? It was funny to see how people can guess stuff trying with all sort of string combinations e.g. adm, admin, admini, administration, administrator, etc. to get in. Refer to our other post on friendly urls for more.
Basically there’s more to website security than that listed here, this is what I came up with for now, you can drop a line or comment below to share.