Improving the security of website
by Gaurav Gupta
Developing a site or web application not only requires implementing the functions requested by the project driver. The ISO / IEC 9126 standard establishes six main aspects of determining the quality of a software product , each divided into three or more qualities. This means that if we want our software to be of quality, we must include many features in addition to those explicitly requested by, for example, the client.
One of them is security. Web applications must be protected against attacks that can give access to malicious users or prevent legitimate users from doing so:
Denial of Service (DoS / DDoS). It consists of saturating the server where the site is hosted sending an excessive amount of requests in a short time, so that it collapses and can no longer handle legitimate access. In general, DDoS applications leave traces on the server traceable, allowing us to identify and block attacking IPs. Some tools recognize when the server is victimized by these attacks and bypass malicious traffic.
Defacement. This is a modification of one or more pages of the website, to replace its contents with a message from the author of the attack. For this, the access data of the administrator is necessary. The most common way to get them is through SQL injection, a technique that consists of querying in SQL language to the database of the site to access private information. To avoid this we can prevent the insertion of certain commands through regular expressions.
Phishing. This technique does not involve a direct attack on the website, but we decided to include it because of the danger it may pose to our users. One of its variants is to lead the victim to a login page that simulates giving access to our application, but actually sends its user and password to an attacker’s database. Generally, the user is then redirected to the actual website. In that instance we can recognize the origin of the traffic and warn the user about what he has just done, suggesting that he change his password.