How secure is my website?

Question

As a beginning web developer, I try my best to clean up all the user inputs through checks and what not. However, today, I found out my website was hacked (I'll share their website on request) and it really made my wonder how did they do it. I'm in the process of getting my website back together. What should I do to prevent these things? Is there people I should talk to and ask how secure my website is? What can I do to to keep my website safe? I wrote my website in PHP and MySQL.

Update: Finally restored the back ups. I use $_GET["name"] in my script, and I'm guessing that's how they got into my website. First, they were able to put an index.html/index.php file in EACH and every folder on my server. Anyone know how I can counter this?

Update: It actually wasn't my website that got hacked, yet the host. The SSH password was cracked and it installed a new index file in each and every folder.

Answer 1

Prevent SQL-injection. Use good passwords. And always check user input (like _GET and _POST vars in php).

Answer 2

This is an extremely broad question, so the answers you will get are equally broad.

In order to test your website for security, you could do penetration testing. There are companies that will do that for you. You could also look at Google Skipfish.

What can you do to keep your website safe ? You can:

• Sanitize and validate all inputs - also cookies, they can be tampered with like everything else that is sent by the client.
• Keep OS and frameworks up-to-date with latest security patches. If you use a CMS, be sure to be up-to-date with that as well.
• Never send text submitted by the user back, unless you html encode it first.
• Use parameterized SQL queries to keep SQL injections attacks away.
• In general, Code defensively.

Answer 3

While it doesn't cover everything, you may want to consider looking at OWASP. Their Top ten for 2010 has recently been released and gives a reasonable overview common security flaws.

Answer 4

The two big things to check for are SQL injection and remote code execution.

SQL injection happens when you take input from some untrusted source (i.e., the entire freaking world!) and use it as an SQL query. The fix is to stop using string substitution to build queries and updates, and to stick rigorously to parameterized queries/updates. Note that using magic quoting is a far inferior approach to dealing with this, since it is much easier to get it wrong; “always parameterize every query” is a simpler way that is easier to audit for. (Yes, you need to really audit all your code here. Sorry about that.)

Remote code execution is when you have any mechanism to allow a client of the website to ask the website to run PHP that isn't pre-loaded onto the website in a directory that the webserver can't write to. It's convenient, yes, but it ultra dangerous because a crafty cracker can ask the webserver to download a rootkit or other nefarious content. We used to get that a lot with our main webserver at work, so we now run it on a strictly read-only filesystem (with remote logging) with remote execution of PHP code (or, indeed, opening of any other connection to a non-white-listed server) strictly forbidden. It's tremendously frustrating to various external web-design consultancies that keep getting hired in, but that's because they're too often not very professional at the whole business of running a secure system, and it does mean that this whole class of attacks is locked out.

(The other thing to watch out for is XSS, though it's not exactly an attack on your site. That happens when you fail to quote untrusted content coming out of your database correctly, allowing nefarious content to be served up from your site without it actually being hacked per se. Defending your site from being on the receiving end of such things is important, but you've got to solve the more serious threats first so that your site isn't a toxic zombie any more.)

Answer 5

• make sure your own machine is not infected. There are a lot of trojans which collect FTP passwords. Also, never use FTP over an unencrypted wireless connection - there are also trojans that make the infected computer listen in to wireless communication and steal passwords. Use SFTP whenever possible.
• find a decent host. Some cheap hosting providers do not prevent a site from changing the files of another, so no matter what you do your site might be hacked through a vulnerability of another webpage hosted on the same server.
• always escape untrusted input in SQL queries. Using parametrized queries is even better.
• always escape untrusted input (this includes current URL, referer, browser user agent, HTTP headers etc.) before displaying it on a webpage. This is surprisingly hard (see http://ha.ckers.org/xss.html for some non-obvious attacks), use a good library like HTML Purifier instead of trying to write your own.

Answer 6

Driis provided a good answer. I would like just to add that usage of stored procedures can be also very beneficial.