10 common website security attack means and defense methods

Hello, everyone ! I'm BOGO !

In a way , Every website on the Internet is vulnerable to security attacks . From human error to complex attacks launched by cyber criminal gangs are within the scope of threats .

The main motive of cyber attackers is to seek money . Whether you run an e-commerce project or a simple small business website , The risk of a potential attack is there .

Know yourself and your enemy in a hundred battles , In today's Internet age , It's more important than ever to know what threats you face . Each malicious attack has its own characteristics , There are so many different types of attacks , It seems unlikely to resist all attacks without dead angles in all directions . But we can still do a lot of work to protect the website , Mitigate the risk of malicious hackers to the website .

Let's take a closer look at the most common on the Internet 10 A cyber attack begins , See what you can do to protect your website .

10 Common website security attacks

1. Cross site scripts （XSS）

Precise Security A recent study shows that , Cross site scripting attacks account for about half of all attacks 40%, Is the most common kind of network attack . But although most common , Most cross site scripting attacks are not particularly high-end , Mostly for amateur cyber criminals using scripts written by others .

Cross site scripting is aimed at users of the website , instead of Web Application itself . A malicious hacker injects a piece of code into a vulnerable website , Then the website visitor executes this code . This kind of code can invade user accounts , Activate Trojan horse program , Or modify the content of the website , Trick users into giving private information .

Set up Web Application firewall （WAF） It can protect the website from cross site scripting attacks .WAF Like a filter , Be able to identify and block malicious requests to websites . When buying web hosting services ,Web Hosting companies usually have deployed... For your website WAF, But you can still set up another one yourself .

2. Injection attack

to open up Web Application safety project （OWASP） Ten new application safety risks , Injection vulnerability is listed as the highest risk factor of the website .SQL Injection method is the most commonly used injection method for cyber criminals .

The injection attack method directly targets the database of the website and server . Execution time , An attacker injects a piece of code that reveals hidden data and user input , Obtain data modification permission , Full capture application .

Protect the website from injection attacks , It is mainly implemented in the construction of code base . for instance , relieve SQL The preferred way to inject risk is to always use parameterized statements as much as possible . Further more , Consider using a third-party authentication workflow to outsource your database protection .

3. Fuzzy testing

Developers use fuzzy tests to find software 、 Programming errors and security vulnerabilities in the operating system or network . However , Attackers can use the same technology to find vulnerabilities on your website or server .

Using fuzzy test method , The attacker first enters a large amount of random data into the application （ Fuzzy ） Crash the app . The next step is to use fuzzy testing tools to find the weaknesses of the application . If there is a vulnerability in the target application , The attacker can further exploit .

The best way to combat ambiguity attacks is to keep security settings and other applications updated , Especially if the security patch is not updated after it is released, it will be exploited by malicious hackers . Focus on Java Project sharing

4. Zero Day Attack

Zero Day attack is an extension of fuzzy attack , But it is not required to identify the vulnerability itself . The most recent case of such attacks was discovered by Google , They are Windows and Chrome A potential zero day attack was found in the software .

In two cases , Malicious hackers can profit from zero day attacks . The first is , If you can get information about upcoming security updates , The attacker can analyze the location of the vulnerability before the update goes online . The second situation is , Cyber criminals get patch information , Then attack users who have not updated the system . In both cases , System security will be destroyed , As for the degree of subsequent impact , It depends on the hacker's technology .

The easiest way to protect yourself and your website from zero day attacks , Is to update your software in time after the new version is released .

5. route （ Catalog ） Traverse

Path traversal attacks are not as common as the above attacks , But it's still any Web A major threat to applications .

Path traversal attacks target Web root Folder , Access to unauthorized files or directories outside the destination folder . The attacker tried to inject mobile mode into the server directory , To climb up . A successful path traversal attack can gain access to the website , Finger configuration file 、 Database and other websites and files on the same entity server .

Whether a website can resist path traversal attacks depends on the degree of input purification . This means keeping user input safe , And you can't recover user input from your server . The most intuitive suggestion is to build your code base , In this way, any information of the user will not be transferred to the file system API. Even if this road doesn't work , There are other technical solutions available . Focus on Java Project sharing

6. Distributed denial of service （DDoS）

DDoS The attack itself cannot make malicious hackers break through security measures , But it will make the website temporarily or permanently offline . Kaspersky Laboratory 《2017 year IT Safety risk investigation 》 Pointed out that , A single DDoS Attacks can cost small businesses an average of 12.3 Thousands of dollars , The loss level of large enterprises is 230 Around ten thousand dollars .

DDoS Designed to overwhelm the target with the requested flood Web The server , Prevent other visitors from accessing the website . Botnets can usually use previously infected computers to send a large number of requests from all over the world . and ,DDoS Attacks are often used in conjunction with other attack methods ; The attacker took advantage of DDoS The attack draws fire from the security system , So as to secretly exploit vulnerabilities to invade the system .

Protect websites from DDoS Attack and infringement generally start from several aspects . First , Through the content distribution network （CDN）、 Load balancers and scalable resources mitigate peak traffic . secondly , Need to deploy Web Application firewall （WAF）, prevent DDoS Attack covert injection attack or cross site script and other network attack methods . Focus on Java Project sharing

7. Man-in-the-middle attack

Man in the middle attacks are common on websites that transmit data between users and servers without encryption . As the user , Just look at the website URL Is it because of HTTPS This potential risk can be found at the beginning , because HTTPS Medium “S” It means that the data is encrypted , Missing “S” Is unencrypted .

Attackers use man in the middle attacks to gather information , Usually sensitive information . Data transmission between the two sides may be intercepted by malicious hackers , If the data is not encrypted , Attackers can easily read personal information 、 Login information or other sensitive information .

Install secure socket layer on the website （SSL） Can mitigate the risk of man in the middle attack .SSL The certificate encrypts the information transmitted between the parties , Even if the attacker intercepts it, it cannot be easily cracked . Modern hosting providers usually have configured... In the hosting service package SSL certificate .

8. Brute force attack

Brute force attack is to obtain Web A fairly direct way to apply login information . But at the same time, it is also one of the most easily mitigated attacks , In particular, it is most convenient to alleviate it from the user side .

Brute force attack , The attacker tried to guess the user name and password pair , In order to log in to the user account . Of course , Even with multiple computers , Unless the password is quite simple and obvious , Otherwise, the cracking process may take several years .

The best way to protect login information , Is to create a strong password , Or use two factor authentication （2FA）. As a website owner , You can ask users to set both strong passwords and 2FA, To mitigate the risk of cyber criminals guessing passwords .

9. Use unknown code or third-party code

Although not a direct attack on the website , Use unauthenticated code created by a third party , It can also lead to serious security vulnerabilities .

The original creator of the code or application may hide malicious strings in the code , Or inadvertently leave the back door . Once the “ take the infection ” The code introduced into the website , Then you will face the risk of malicious string execution or backdoor exploitation . The consequences can range from simple data transmission to the collapse of website management authority .

Want to avoid the risks surrounding potential data leaks , Please let your developers analyze and audit the effectiveness of the code . Besides , Make sure that the plug-in used （ In especial WordPress plug-in unit ） update , And receive security patches regularly ： Studies have shown that , exceed 1.7 m WordPress plug-in unit （ About% of the number of samples taken at the time of the study 47%） Not updated within two years . Focus on Java Project sharing

10. phishing

Phishing is another attack method that does not directly target the website , But we can't exclude it from the list , Because phishing can also destroy the integrity of your system . according to FBI《 Internet crime report 》 That's what I'm saying , The reason is that phishing is the most common social engineering cyber crime .

The standard tool used in phishing attacks is email . Attackers often disguise themselves as others , Trick victims into giving sensitive information or performing bank transfers . Such attacks can be bizarre 419 A scam （ It belongs to prepaid fraud ）, Or involving fake email addresses 、 Seemingly real websites and high-end attacks with persuasive words . The latter is well known in the name of Harpoon phishing .

The most effective way to mitigate the risk of phishing scams , Is to train employees and themselves , Enhance the ability to identify such fraud . Remain vigilant , Always check whether the sender's email address is legal , Whether the content of the email is strange , Is the request unreasonable . in addition , Keep in mind that ： There is no pie in the sky , When things go out of whack, they will .

Conclusion

Attacks against websites can take many forms , The attacker can be an amateur hacker , It will also be a cooperative professional hacker gang .

The most critical piece of advice , That is, don't skip security functions when creating or operating websites , Because skipping security settings can have serious consequences .

Although it is impossible to completely eliminate the risk of website attack , But at least you can mitigate the possibility of being attacked and the severity of the consequences of the attack .