This was a lot of fun. Ask a DevSecOps engineer, “how do I screw up my website security?” and you better take a seat because the answer will take a while. In short, there are lots of ways your security can go wrong. Some mistakes are more critical than others, and while many of the pitfalls are widely known, nothing stays still – new vulnerabilities are discovered each day. If you are not a developer, some of these issues may be too technical; some essential starting points would be HTTP vs HTTPs; we have also written a piece on the cybersecurity basics. This is also a distilled version; if you have any other ways to screw up your website security, please let me know. I’d love to hear!
Table of contents
So here it is 5 ways you can screw up your website security:
- Using WordPress without thinking about security
- Arbitrary File Download
- Unrestricted File Uploads
- Insecure Deserialization
- XML External Entity (XEE)
Using WordPress without thinking about Security
WordPress has made it extremely easy to create a website. For developers and non-developers alike, it grants the ability to scale with an endless amount of plugins and templates to complement whatever type of website you’re building. However, the accessibility of WordPress creates up to some pretty severe vulnerabilities, not to mention any vulnerabilities potentially lurking in plugins or themes you are using within your site.
Here are just a few examples:
Exploiting the xmlrpc.php on all WordPress versions
XML-RPC on WordPress is an API that allows developers who make 3rd party applications. XML-RPC is included on all standard WordPress packages but opens up two kinds of attack vectors:
- XML-RPC pingbacks
- Brute force attacks via XML-RPC
Unpatched DOS flaw could help anyone take down your website – This vulnerability affects all versions of WordPress and can be considered critical.
“The vulnerability resides in the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests. However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.”– The Hacker News
Is your site powered by WordPress?
For a small business with limited resources, covering the basics (updating versions, patches, only using reputable plugins) should be a good start – more advanced developers & cybersecurity professionals should treat WordPress like any software tool and stay up to date with the latest patch releases and news on CVEs.
If WordPress powers your site, our scanner will pick up any CVEs associated with versions, and a free quick scan only takes a minute!
More Resources to get started:
See If Your WordPress Site Has Security Vulnerabilities
Arbitrary File Download
There is a strong possibility that your website provides a download link for some form of content (e.g. brochure, whitepapers, etc.). If the web application doesn’t check the requested file, this functionality can be used to download all files, including your most sensitive ones.
– Infosec institute
Infosec Institute has a comprehensive guide on Arbitrary file download and how to prevent it here.
Unrestricted File Uploads
Uploading functionalities can also expose you to critical vulnerabilities. With an unrestricted file upload, an attacker could upload a web shell. With a web shell, the attacker can execute any command on the system. Weevely3 is an example of such a web shell.
The consequences range from bad to the very worst; system takeover, defacement, overloaded database are all potential outcomes.
The OWASP guide has a wealth of knowledge on potential attack vectors and steps to protect yourself from unrestricted file uploads.
Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application. It is not a particularly common vulnerability, but if exploited, it can lead to remote code execution, which is one of the severe attacks your web application can face.
Security assessment of Insecure Deserialization
Thankfully you can scan your web application for insecure deserialisation using the Crashtest Security suite. When testing for insecure deserialisation vulnerabilities, it is best to scan your application in a dynamic state. As a DAST (Dynamic application scanning testing tool), we view your application the same way an attacker would.
Read more about insecure deserialisation, remediation, and prevention tips on our wiki.
XML External Entity (XXE) Processing
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can disclose internal files using the file URL handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
OWASP has produced an XML External Entity Cheatsheet to help you prevent what could be a critical vulnerability. You can also detect XXE vulnerabilities with the Crashtest Security Suite.
Crashtest Security is designed to give you enterprise-grade scans and results with effortless functionality. Saving you and your Dev team a lot of time and hassle. Try a completely free 14-day trial and secure your web applications.