Website Security: How to learn?

Question

I'm curious (for purely academic purposes) how website securities can be thwarted.

• What, generally, is web security? Server and client side?
• How to tell if a site is vulnerable? How to prevent vulnerabilities?
• How to throw server errors? Is it possible to break/shut down a server?

So, in summation I'm asking about general web-security, how to "hack" and how to prevent. Could you guide me to some resources? And do you have any pointers (either from experience or personal opinion)!?

Also, if I'm a hacker: What's the quickest easiest way to take down a site?

Answer 1

See this great tutorial about security. Note that this is from PHP's perspective but the main idea should be the same for all web security issues.

As for finding out vulnerability in your websites, we find this software to be really good:

Acunetix Web Security Scanner

Answer 2

In a broad perspective, web security doesn't just encompass the software technology, but also other areas such as the physical location of your web server, whether proper permissions are granted to authorized users for physical access all the way to the software that runs the server, eg the Operating System , the web technology eg PHP, Apache, Javascript etc. You will have to at least know a bit of all of these languages/software to seriously talk about web security. Also, not all web servers use PHP, some use Perl, python , yet others run Ruby , Java etc... How to prevent vulnerabilities? If you understanding the programming loop holes of the language you use and take every effort to do sanity checks, update your Operating System patches, do proper access controls in terms of physical security etc, you can say that more than half the battle is won. The rest will be due diligence and telling and educating people about security and its importance.

Answer 3

You should read this one - http://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site

Answer 4

It's a broad topic and whole books have been written about it.

A web server, by definition, must respond to HTTP requests (TCP connections over port 80). It may also have to respond to HTTP/SSL requests (TCP connections over port 443). Of course it's possible to run these services over other ports; but publicly accessible web servers are almost all configured according to those standards.

So what are the sorts of security issues you can envision? Generally they can be vulnerabilities in the web server (daemon) code (e.g. Apache), in any of the modules being loaded by it (e.g. mod_php), in some of the dynamic content handling (CGI scripts being executed by the web server, Java, applications engines, etc), or in something else which is running on the server (SSH daemons, SNMP management agents, etc).

Additionally some issues can be beyond your own server. For example if you are processing data being supplied by users there's the risk that any router or link between your users and your server could be snooping for private or confidential data. Even if you process these over SSL you may have issues with users being redirected to other sites and being tricked into supplying that data to this "MITM" (man-in-the-middle). Also any content that is supplied by users and is displayed back to others (comments in wikis, blogs, messaging forums, etc) may be vulnerable to a variety of "cross-site scripting)" (XSS) exploits. An attacker may be able to inject bogus entries into various DNS servers which users are relying on to them them to your site (DNS cache poisoning, for example).

Realistically, most of the modern issues that are under your control are those related to XSS or to SQL injection (cases where your dynamic content is implicitly storing and retrieving data from a DBMS, such as MySQL, and where any of your attempts to sanitize user inputs are inadequate ... where user data is passed to the DBMS as a SQL code and executed there).

Those are the sorts of issues that are relevant to programmers. Most of the issues with OS, server software, and so on are of more interest to sysadmins.

Answer 5

Also, if I'm a hacker: What's the quickest easiest way to take down a site?

Answer: Google. Keep in mind, taking down any website is many orders of magnate easier than taking down a specific site. Most attacks are done by a small number of hackers attacking a LARGE numbers of servers, and the hacker doesn't care who he breaks into, he just cares about numbers. There are websites out there that have already been hacked. The hacker has installed a backdoor similar to c99shell.php, Google can index these backdoors and then people can search for them.

Another approach to google hacking is finding all copies of a vulnerable piece of software. Lets say an exploit hits the web that affects vBullitin 3.8.4 and below. I can do a google search for "Powered by vBulletin® Version 3.8.4" and find a nearly all copies of this version of vBulletin on the web.

So to answer your qeustion. Exploit Code is used to break into web sites, and hackers find you using google.

Many of these web application exploits are leveraging vulnerabilities discovered using testing tools free and open source tools such as Wapiti, w3af, or the perhaps the expensive commercial product Acuentix.

Answer 6

Rather than try to comprehensively answer your questions within a single page, I'd prefer to refer you to some outstanding free guidance.

• What, generally, is web security? Server and client side?
• How to tell if a site is vulnerable? How to prevent vulnerabilities?

If you're particularly interested in web security, I heavily recommend OWASP (the Open Web Application Security Project). OWASP is a consortium that focuses exclusively on web security for development and testing. http://www.owasp.org/index.php/Getting_Started

Beyond that, there's several good books on the subject. Most experts rely on penetration testing or "ethical hacking" to reveal if a site is vulnerable. This takes considerable time and expertise. Though there are a few quick tests one can run, a comprehensive effort involves a significant test effort.

• How to throw server errors? Is it possible to break/shut down a server?

The majority of penetration tests cause server errors. Shutting down a server, obtaining administrative credentials (and then shutting down the server from within), or disrupting users is common.

Preventing security weaknesses requires a slightly different skill set. Defensive design and coding is a subject that's also well discussed in books and OWASP.

So, in summation I'm asking about general web-security, how to "hack" and how to prevent. Could you guide me to some resources? And do you have any pointers (either from experience or personal opinion)!?

Also, if I'm a hacker: What's the quickest easiest way to take down a site?

Microsoft offers this defensive programming advice: http://msdn.microsoft.com/en-us/library/aa302420.aspx

I'm partial to this book as a hands-on web security testing guide: http://www.amazon.com/Web-Security-Testing-Cookbook-Systematic/dp/0596514832