What threatens your site after installing an online consultant and how we deal with it
The services we are developing - the RedHelper online consultant and RedConnect callback work with the personal data of visitors, and therefore they require a very careful approach to the security of both the client side of the widget and the server side. In this article we will talk a little about what types of threats your system can expect after installing various widgets, and how we ensure security in our products.
Disclaimer: If you are familiar with the types of threats and countering them - you can safely flip through the tape further, since you most likely will not learn anything new. But if the abbreviations MITM, XSS or XFRS mean nothing to you, and you have one or several widgets on your site - today you can learn a lot of new things.
')
Often, the site owner may not even guess that the pages of his representation on the Internet are somehow infected. Of course, recently hosters have rather successfully begun to solve this problem, constantly checking their clients' files for malicious code, but this, as we know, is not a panacea.
To protect the client side, RedHelper widgets are loaded via iframe. Those who know how this technology works have already understood what the essence is. But still give an analogy. Iframe can be compared with the embassy. Whatever scary things happen behind the fence of the embassy, ​​the laws of the state whose flag develops over the entrance are in effect. Similarly, for the RedHelper iframe widget, it does not matter what threats and security holes are present on the site - all data is entered into secure input fields, the security of which is provided by the server part.
We have tried to protect the highest category of RedHelper from all existing threats. But in order not to relax, we regularly ask well-known Internet security companies to audit our system. To our credit, the results are always at a high level, and we quickly eliminate all found vulnerabilities.
In more detail, the widgets of online consultants and callbacks are subject to 5 types of Internet threats. And below we will tell how they are opposed by RedHelper.
The clearest analogy for this type of vulnerability is wiretapping of the phone. But the fact that someone can read or delete the messages of the operator and the client is only half the trouble - the attacker can change them at will. And neither the operator nor the client will guess about the presence of the “third excess” in the channel.
To protect against this threat, we use a secure https protocol with mandatory SSL encryption. And even if an attacker somehow gains access to the site files, and changes the connection of our script from https to http, nothing bad will happen. RedHelper uses the Comodo SSL certificate. This company is one of the world leaders in network security, and its certificates have always been distinguished by good security.
To understand how this works - let's turn again to the magic of analogies. Suppose you need to send a parcel to your client by Russian Post. You go to your unit, pack the package and ship it. But suspecting the postman Pechkin of a dishonest game, you hang up a lock on the package beforehand. The key remains with you. Despite his natural curiosity, Pechkin has no choice but to deliver the package to the addressee without knowing the contents.
But the addressee also can not open the parcel, because does not have a key. Therefore, your client puts his own lock on the package and sends it back. Again without a key. Pechkin, seeing that now there are already two locks on the parcel, grieves, but brings the parcel back. Having ascertained that both locks are in place and do not have any burglary marks, you remove your lock and send the parcel for the third time. This time the client will be able to open it with his own key.
Pechkin, of course, had to run, but the contents of the parcel remained a secret to him.
The introduction of dangerous SQL-code belongs to the category of the most dangerous vulnerabilities on the site. The possibility of successful "parasitism" of an attacker on your site in case of a successful SQL injection exceeds 99%.
This is a fairly common way of hacking programs and websites that work with databases (databases), and it is based on adding some SQL code to the query.
By implementing the SQL code, an attacker can get full access to any part of the site - be it FTP (threatens to lose or change files), email services (the ability to send emails from your domain), the administrative panel of the site (change any information on the site) or any other components . Not to mention the fact that all the information stored in the Database can be stolen.
RedHelper is protected from this threat simply, but very effectively - any executable code that the attacker attempts to transfer is converted into plain text without the possibility of its execution.
The opposite situation, when the malicious code is embedded in the web page issued to the visitor. When you open this page, the code will be executed on the client’s computer and will begin interacting with the attacker's web server.
This is also a very dangerous vulnerability. With its help, an attacker can not only steal cookies (and sometimes even the login and password from the visitor’s personal account on this site), but also arrange a real DDoS attack on your site. This is especially dangerous for sites with high traffic - each new visitor, at the will of the attacker, will create a whole bunch of requests that will “put” the server sooner or later.
Protection in this case is exactly the same as with SQL-injection - all the data necessary for the operation of the application, the widget and the server part are transmitted as text, without the possibility of executing commands.
The most dangerous attack, which leads to the fact that the attacker can perform on an unprepared site a lot of different actions on behalf of other registered visitors.
What are these actions - whether sending messages, transferring money from one account to another, or changing passwords - depends on the site, but in any case do not expect anything good.
This attack on site visitors uses the disadvantages of the HTTP protocol. When the owner of an online consultant’s account visits an infected site, a request is secretly sent from his name to another server (in our example, to ours), performing some kind of malicious operation. For example, changing a password or deleting an account.
But for the implementation of this action, you need many factors:
Therefore, any action that may lead to undesirable consequences requires confirmation by the user and is encrypted with a secret key to verify requests, which excludes the possibility of an attack.
We are very jealous about the security of our product and customer personal data, and therefore we are trying to ensure reliability from all sides - on the client’s website, on our server, and in the operator’s application. We asked companies that specialize in Internet security audits many times to check our services, and each time we passed these tests with honor, receiving only a small list of noncritical comments that were eliminated as soon as possible.
For this we make great efforts. Our specialists constantly take timely and necessary measures to improve security - regularly update software and security certificates, monitor all possible hacking options and introduce new degrees of protection. Due to this, we can proudly say that at the moment RedHelper online consultant and RedConnect callback are among the most secure customer feedback systems.
Disclaimer: If you are familiar with the types of threats and countering them - you can safely flip through the tape further, since you most likely will not learn anything new. But if the abbreviations MITM, XSS or XFRS mean nothing to you, and you have one or several widgets on your site - today you can learn a lot of new things.
')
Widget security
Often, the site owner may not even guess that the pages of his representation on the Internet are somehow infected. Of course, recently hosters have rather successfully begun to solve this problem, constantly checking their clients' files for malicious code, but this, as we know, is not a panacea.
To protect the client side, RedHelper widgets are loaded via iframe. Those who know how this technology works have already understood what the essence is. But still give an analogy. Iframe can be compared with the embassy. Whatever scary things happen behind the fence of the embassy, ​​the laws of the state whose flag develops over the entrance are in effect. Similarly, for the RedHelper iframe widget, it does not matter what threats and security holes are present on the site - all data is entered into secure input fields, the security of which is provided by the server part.
Server side security
We have tried to protect the highest category of RedHelper from all existing threats. But in order not to relax, we regularly ask well-known Internet security companies to audit our system. To our credit, the results are always at a high level, and we quickly eliminate all found vulnerabilities.
In more detail, the widgets of online consultants and callbacks are subject to 5 types of Internet threats. And below we will tell how they are opposed by RedHelper.
MITM - Man In The Middle - The Man In The Middle
The clearest analogy for this type of vulnerability is wiretapping of the phone. But the fact that someone can read or delete the messages of the operator and the client is only half the trouble - the attacker can change them at will. And neither the operator nor the client will guess about the presence of the “third excess” in the channel.
To protect against this threat, we use a secure https protocol with mandatory SSL encryption. And even if an attacker somehow gains access to the site files, and changes the connection of our script from https to http, nothing bad will happen. RedHelper uses the Comodo SSL certificate. This company is one of the world leaders in network security, and its certificates have always been distinguished by good security.
To understand how this works - let's turn again to the magic of analogies. Suppose you need to send a parcel to your client by Russian Post. You go to your unit, pack the package and ship it. But suspecting the postman Pechkin of a dishonest game, you hang up a lock on the package beforehand. The key remains with you. Despite his natural curiosity, Pechkin has no choice but to deliver the package to the addressee without knowing the contents.
But the addressee also can not open the parcel, because does not have a key. Therefore, your client puts his own lock on the package and sends it back. Again without a key. Pechkin, seeing that now there are already two locks on the parcel, grieves, but brings the parcel back. Having ascertained that both locks are in place and do not have any burglary marks, you remove your lock and send the parcel for the third time. This time the client will be able to open it with his own key.
Pechkin, of course, had to run, but the contents of the parcel remained a secret to him.
SQL-injection - Implementing SQL-code.
The introduction of dangerous SQL-code belongs to the category of the most dangerous vulnerabilities on the site. The possibility of successful "parasitism" of an attacker on your site in case of a successful SQL injection exceeds 99%.
This is a fairly common way of hacking programs and websites that work with databases (databases), and it is based on adding some SQL code to the query.
By implementing the SQL code, an attacker can get full access to any part of the site - be it FTP (threatens to lose or change files), email services (the ability to send emails from your domain), the administrative panel of the site (change any information on the site) or any other components . Not to mention the fact that all the information stored in the Database can be stolen.
RedHelper is protected from this threat simply, but very effectively - any executable code that the attacker attempts to transfer is converted into plain text without the possibility of its execution.
XSS - Cross Site Scripting - Crossite Scripting
The opposite situation, when the malicious code is embedded in the web page issued to the visitor. When you open this page, the code will be executed on the client’s computer and will begin interacting with the attacker's web server.
This is also a very dangerous vulnerability. With its help, an attacker can not only steal cookies (and sometimes even the login and password from the visitor’s personal account on this site), but also arrange a real DDoS attack on your site. This is especially dangerous for sites with high traffic - each new visitor, at the will of the attacker, will create a whole bunch of requests that will “put” the server sooner or later.
Protection in this case is exactly the same as with SQL-injection - all the data necessary for the operation of the application, the widget and the server part are transmitted as text, without the possibility of executing commands.
XSRF - Cross Site Request Forgery - cross-site request forgery
The most dangerous attack, which leads to the fact that the attacker can perform on an unprepared site a lot of different actions on behalf of other registered visitors.
What are these actions - whether sending messages, transferring money from one account to another, or changing passwords - depends on the site, but in any case do not expect anything good.
This attack on site visitors uses the disadvantages of the HTTP protocol. When the owner of an online consultant’s account visits an infected site, a request is secretly sent from his name to another server (in our example, to ours), performing some kind of malicious operation. For example, changing a password or deleting an account.
But for the implementation of this action, you need many factors:
- the victim must be authenticated on our server
- the request should not require any confirmation from the user.
- confirmation can be ignored or forged by an attacking script
Therefore, any action that may lead to undesirable consequences requires confirmation by the user and is encrypted with a secret key to verify requests, which excludes the possibility of an attack.
Finally
We are very jealous about the security of our product and customer personal data, and therefore we are trying to ensure reliability from all sides - on the client’s website, on our server, and in the operator’s application. We asked companies that specialize in Internet security audits many times to check our services, and each time we passed these tests with honor, receiving only a small list of noncritical comments that were eliminated as soon as possible.
For this we make great efforts. Our specialists constantly take timely and necessary measures to improve security - regularly update software and security certificates, monitor all possible hacking options and introduce new degrees of protection. Due to this, we can proudly say that at the moment RedHelper online consultant and RedConnect callback are among the most secure customer feedback systems.
Source: https://habr.com/ru/post/303226/
All Articles