This was a lot of fun. Ask a DevSecOps engineer, “how do I screw up my website security?” You better take a seat because the answer will take a while. In short, there are lots of ways your security can go wrong.
Some mistakes are more critical than others, and while many of the pitfalls are widely known, nothing stays still – new vulnerabilities are discovered daily. If you are not a developer, some of these issues may be too technical; some essential starting points would be HTTP vs. HTTPs; we have also written a piece on the cybersecurity basics. This is also a distilled version; if you have other ways to screw up your website security, please let us know. I’d love to hear.
So here it is 5 ways you can screw up your website security:
- Using WordPress without thinking about security
- Arbitrary File Download
- Unrestricted File Uploads
- Insecure Deserialization
- XML External Entity (XEE)
Prevention Guide
Big fat growing cybersecurity ebook
This ebook shows best practices and prevention techniques for keeping vulnerabilities away and securing your web apps.
Using WordPress without thinking about Security
WordPress has made it extremely easy to create a website. For developers and non-developers alike, it grants the ability to scale with an endless amount of plugins and templates to complement whatever type of website you’re building. However, the accessibility of WordPress creates up to some pretty severe vulnerabilities, not to mention any vulnerabilities potentially lurking in plugins or themes you are using within your site.
Here are just a few examples:
Exploiting the xmlrpc.php on all WordPress versions
XML-RPC on WordPress is an API that allows developers who make 3rd party applications. XML-RPC is included on all standard WordPress packages but opens up two kinds of attack vectors:
- XML-RPC pingbacks
- Brute force attacks via XML-RPC
“The vulnerability resides in the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests. However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.“
The Hacker News
Using a simple script, you can begin to force load-scripts.php to call all JavaScript files in one go. In short, it’s a lightweight DOS attack that can take down your website with minimal effort.
Is your site powered by WordPress?
For a small business with limited resources, covering the basics (updating versions, patches, only using reputable plugins) should be a good start – more advanced developers & cybersecurity professionals should treat WordPress like any software tool and stay up to date with the latest patch releases and news on CVEs.
If WordPress powers your site, our scanner will pick up any CVEs associated with versions, and a free quick scan only takes a minute!
More resources to get started
https://www.codeinwp.com/blog/secure-your-wordpress-website/
https://secure.wphackedhelp.com/blog/wordpress-security-tips-2019/
Arbitrary File Download
There is a strong possibility that your website provides a download link for some form of content (e.g., brochure, whitepapers, etc.). If the web application doesn’t check the requested file, this functionality can be used to download all files, including your most sensitive ones.
Infosec Institute has a comprehensive guide on Arbitrary file download and how to prevent it here.
Unrestricted File Uploads
Uploading functionalities can also expose you to critical vulnerabilities. With an unrestricted file upload, an attacker could upload a web shell. With a web shell, the attacker can execute any command on the system. Weevely3 is an example of such a web shell.
The consequences range from bad to the worst; system takeover, defacement, and overloaded databases are all potential outcomes.
The OWASP guide has a wealth of knowledge on potential attack vectors and steps to protect yourself from unrestricted file uploads.
Insecure Deserialization
Insecure Deserialization is an attack where a manipulated object is injected into the web application context. It is not a particularly common vulnerability, but if exploited, it can lead to remote code execution, which is one of the severe attacks your web application can face.
Thankfully you can scan your web application for insecure deserialization using the Crashtest Security suite. When testing for insecure deserialization vulnerabilities, it is best to scan your application in a dynamic state. As a DAST (Dynamic application scanning testing tool), we view your application the same way an attacker would.
Read more about insecure deserialization, remediation, and prevention tips on our wiki.
XML External Entity (XXE) Processing
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can disclose internal files using the file URL handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
OWASP has produced an XML External Entity Cheatsheet to help you prevent what could be a critical vulnerability. You can also detect XXE vulnerabilities with the Crashtest Security Suite.
Crashtest Security is designed to give you enterprise-grade scans and results with effortless functionality. Saving you and your Dev team a lot of time and hassle. Try a completely free 14-day trial and secure your web applications.
