Site security audit - identifying risks and threats

Site security audit (site checking for vulnerabilities) - a series of procedures aimed at ensuring the stable operation of a web resource, data security and risk reduction.

It is no secret to anyone that the economic situation is now dictating new rules, including in competition. If earlier “war of technologies”, cyber espionage and destructive actions were mainly the lot of large corporations or entire states, now these methods are quite successfully applied in small and medium businesses.
')
We will leave the websites of offline companies aside, and today we will talk about commercial websites, whose main income is related to Internet activities.

Site security audit is a complex of works on detecting errors in the site code and server software, which attackers can use to attack and hack the site.

The motivation that is used by attackers may be different - this is bragging, and the search for benefits both for themselves, and working on the "order".

From the latest "high-profile" examples - hacking FL.ru freelance exchanges habrahabr.ru/en/post/251487

^{screenshot of a hacker's message on behalf of one of the administrators}

Here the resource has clearly suffered reputational damage, reduced user loyalty. New users may be difficult to attract: www.google.ru/search?ie=UTF-8&hl=ru&q=FL.ru
As a result of GOOGLE search results for FL.RU, the second topic on Habré is about merging the user base.

What would give the security audit of the FL.RU exchange - the selection of passwords for resource administrators' accounts would help identify these accounts. Additional recommendations and rules for their compliance would help to avoid such an annoying oversight. The lack of access restriction to the critical functionality (user accounts) from an untrusted IP address only aggravated the situation.

Reputational risks of hacking into the company's website will naturally affect the company's profitability. But there is a direct threat of theft of data of value to the company. The company's web site related to online activities - online store, electronic exchange, and so on. - the main tool for making a profit - often contains a database of clients, all the more valuable if the service involves long-term work with the client, repeated purchases and so on.

Also, a lot of damage to the company can be caused by payment data manipulation, fraudulent transactions in funds deposit / withdrawal systems or payment systems.

Malicious attackers of the site can be divided into two types:

1. We take everything that is bad.

This kind of attackers are trying to gain access to a large number of sites, using primitive techniques, "make noise in the logs." Typically, these types of subjects scan the site (s) with popular vulnerability scanners or search for vulnerable CMS for a specific exploit. They may be interested in both the user base and the banal iframe on the so-called. exploit-pack.

^{Search for accomplices to commit an offense under Article 273 of the Criminal Code of the Russian Federation}

A timely web application security audit will help identify vulnerable components and problem areas of the site. Recommendations will help to be prepared to repel hacker attacks.

2. Attack a specific target.

This kind of attacker is usually motivated to obtain or destroy certain data:

^{announcements on "okolokhakerkih" forums}

In this case, the attacker will not be limited to passive methods - most likely he will attack the site until he gets the desired result, using all possible combinations of attack vectors.

A comprehensive security audit, which usually includes the following actions, can significantly improve site security:

• Search for server component vulnerabilities;
• Search for vulnerabilities in the web server environment;
• Check for remote execution of arbitrary code;
• Check for injections (code injection);
• Attempts to bypass the web resource authentication system;
• Check the web resource for the presence of "XSS" / "CSRF" vulnerabilities;
• Attempts to intercept privileged accounts (or sessions of such accounts);
• Attempts to produce Remote File Inclusion / Local File Inclusion;
• Search for components with known vulnerabilities;
• Check for redirects to other sites and open redirects;
• Scanning directories and files using brute force and "google hack";
• Analysis of search forms, registration forms, authorization forms, etc .;
• Checks resource for the possibility of open receipt of confidential and secret information;
• Attacks of the race condition class;
• Implementing XML Entities
• Selection of passwords.

Site security audit is a proactive measure that allows you to get an adequate assessment of the company's resource security, complete information about the vulnerabilities found, possible attack scenarios, and recommendations for eliminating them. This is, in fact, not an event, but a continuous process to ensure the security of business processes of the company's website, preserving business reputation, economic growth and business development.

Do not wait until your site is attacked by attackers - order a comprehensive site security audit from professionals.

Be secure!