- Written by Rafe Magnuson
- Category: InfoSec
- Hits: 322
The Web can be a scary place sometimes. If you start to peer into the little dark corners of it you'll find that there are all sorts of nefarious individuals just waiting for a chance to pounce on some scrumptuous moresel left unguarded by a distracted businessman, or the overworked admin, as the case might be. If you think your company website is solid as a rock, if you think your blog is secure from public defacement, you might want to think again.
Website and server threats that capitalize on errors and oversights and allow intrusions have grown over the years at an alarming rate. No one has been safe from them, and with 0-day hacks even the best firewalls and intrusion detection measures fall short. With that in mind let's explore some of what you can do to lock your site down.
It's commonly thought that a good firewall will combat all the headaches associated with criminal activity on the Web, and to a certain extent this is true. However when you're dealing with a website that requires access by the outside world you can't just lock everything down and walk away from the job, certain pathways (ports such as those for HTTP and HTTPS) are necessary in order for the site to function properly for your clients. It would be like locking the door to your business all hours of the day whether you are closed or not. So in short, a firewall has it's place but usually you want to let your host decide what that place is. Certainly you want to make sure they are a quality establishment that doesn't allow unnecessary communications through their systems but for you as the webmaster or web security consultant you'll want to focus on elements more directly in line with the website itself.
There are numerous ways to attack any given website. From ip spoofing and parameter tampering to URL manipulation and session hijacking. You could test all these methods of attack yourself, one by one, gathering results and refining your site slowly into the fortress you wish it to be. Or alternately you could rely on an automated attack suite created specifcally for the purpose of attacking your site, finding it's weaknesses and reporting them back to you in a robust manner. I prefer the latter approach.
At Magnuson Technical Services we combine best-in-class automated pentesting tools to do the heavy lifting associated with thousands of known website attack vectors. The list of these attacks is too long to publish here but it includes those included in the previous paragraph as well as SQL injection attacks, DNS attacks, proxy hijacking, and numerous other attacks that can be done both automatically or with some assistance from our elite staff of white-hat hackers. Above and beyond this we constantly peruse the Web and all it's dark corners to find the very latest 0-day exploits that emerge and test using these as well.
Once testing is completed we can provide you with a report of various depths from just an overview of weaknesses to a full multi-page report of the weaknesses, where they lie, and how we were able to exploit them.
Finally, we can help you by working to eliminate the threats from your website. Our professional team of programmers is standing by to do whatever is necessary to ensure that your site remains intact, regardless of what the bad guys throw at it.