Lock Down Your Website

With all the benefits of e-commerce there are dangers such as identity theft for consumers and cyber attacks on websites. Site owners need take preventative measures. Wellman presents some security procedures and scripts for PHP driven sites.


Life in the digital age certainly has its benefits; I can buy the latest CD, before it even hits the shops, for the cheapest price in the world from a shop thousands of miles away, all without leaving the comfort of my armchair (ok, my office chair). True, I’ll have to wait for a couple of days before the item is actually delivered, but to me that’s a small price to pay. An example of an instantaneous process could be opening a bank account in Switzerland in order to pay less tax on your savings. Or searching for a better quote on your car insurance, (a lot of insurance companies actually offer a discount simply for signing up online) and buying it online. Companies like to offer e-commerce solutions to save on their overhead, and the average person likes e-commerce because it opens up whole new markets and saves money. There are many online stores that simply would not exist if it weren’t for the Internet. 

But life in the digital age can also have its downfalls; what if your credit card details are stolen from an online store that you recently made a purchased from? What if your log-in password to a site is hacked and someone takes all of your details, opens up a bank account in your name and takes out a ten grand bank loan? It’s not the most likely thing to happen, but it’s certainly possible, and for many people, easy.  Identity theft was the fastest growing crime last year.

It is not just the customers of e-commerce that are at risk either; online stores have an obligation to their customers to protect sensitive and personal information supplied by their customers. Stolen information may result in compensation payments, and a loss of future business.  Misleading information planted on your site may confuse or anger customers, and a Denial of Service attack that crashes the server your site is hosted from could easily result in loss of income. It’s true that anyone owning a physical shop runs the risk of being robbed or burgled, but at least the perpetrators have to actually be present; a hacker could attack from anywhere in the world.

{mospagebreak title=Popular Cyber Attacks}

One of the commonest forms of locating vulnerabilities is port-scanning; this is a process in which hackers send packets of information to server ports to see which ones are open and therefore available to exploit. 

Once a potential target has been found, there are a multitude of cyber crimes open to the hacker, some of the more popular attacks are:

Directory Browsing – The ability to retrieve complete directory listings within directories on the web server. Usually occurs as a result of sloppy server configuration.

Reverse Proxying  - Gaining access to back-end application servers by proxying HTTP requests from the external Internet to internal networks via front-end severs. Again, can result from sloppy proxy server configuration.

Source Code Disclosure – This is the ability to retrieve the source code from application files or the application itself in order to find further loopholes or information such as usernames and passwords.  Once again this can be traced to poor server configuration or poor application design.

Session Hijacking -  Many forms use ‘hidden’ fields to store session data, once this data has been acquired by the hacker, users data can be obtained. Session hijacking occurs when there are little or no preventative measures such as server side session id tracking or cryptographic session id creation.

As you can see from the examples above, many hack attacks are caused simply by misconfiguring your web server or web applications.  So what preventative measures can you take? Obviously, no site is 100% safe; given enough time and the right software, any site can be penetrated. Realistically though, there are many ways security can be implemented in order to drastically reduce the risks.

{mospagebreak title=Preventative Measures}

If you are running (or planning to run) a PHP driven e-commerce store, you must account for the following security features:

  • An authentication system that allows users to log into your site
  • Routines that allow only properly authenticated users to access or update sensitive information
  • Data encryption to securely store highly sensitive information such as credit card numbers
  • Logging routines that record usage information to allow analysts to detect possibly malicious patterns of use
  • Monitoring software that alerts administrators to malicious behavior in real-time
  • Encrypted connections for transmitting sensitive information

To begin with, never use the GET method for sending sensitive information, always use POST to enclose the information in the HTTP header rather that the URL query string. The POST method is not necessarily more secure; it just doesn’t display the information for all to see. Using the GET method to send a username and password to the PHP engine would be like posting a $100 bill in a transparent envelope.

In order to allow an authentication system, several things will need to be implemented: a form in which the user can register their username and password, and another form to sign into the site; a table in your database to store the usernames and associated passwords of users, and a secure way of storing this information; and PHP scripts that enter new information into the table and checks the table when a user tries to sign in.

I won’t go into the html side of things here, but a simple PHP script to enter a new username and password into the table could be as follows:

<?php

$host=” “;

$uname= “root”;

$pass=” “;

$database=”nameofyourdatabase”;

$tablename=”nameofyourtable”;

$connection= mysql_connect ($host, $uname, $pass)

or die (“Database connection failed! <br> “);

$result=mysql_select_db ($database)

or die (“Database could not be selected”);

$query = “INSERT INTO nameofyourtable VALUES (‘ “.$customerid.” ‘,’ “.md5 ($password).” ‘) “;

if (!$query)

{

die(” Query could not be executed.<br>”);

}

?>

The above code checks that the password field is not empty and that the password and confirm password are the same. The information is then written to the table and the password is stored as an MD5 hash using the md5() function. You then also need a PHP script to check the username and password when visitors sign in. This type of hash is known as a one way hash and is useful as a way of storing passwords because you’ll never need to know what the visitor’s password is.

{mospagebreak title=One Way Hash}

The following code can be used:

<?php

if (empty($password)) { die(“No Password specified”);}

if ((strlen($password) < 5) || (strlen($password) > 15))

{ die(“Password too long/short”);}

?>

<?php

$host=”";

$uname=”root”;

$pass=”";

$database=”nameofyourdatabase”;

$connection= mysql_connect($host,$uname,$pass)

or die(“Database connection failed! <br>”)

$result=mysql_select_db($database)

or die(“Database could not be selected”);

$query = “SELECT password from login where customerid=”" .$customerid .” ‘ “;

$result = mysql_query($query);

if($row=mysql_fetch_array($result))

{

if(!(md5($password) == $row["password"]))

{

die(“Wrong Password!”);

}

}

else

{

die(“User does not exist!!”); }

?>

This script will first check that a password has been entered, and then that it is more than 5 characters long but less than 15. A password with less than 5 digits would be too insecure, and a password of more than 15 characters would take longer to generate a hash for and would take up more storage space. The stored hash that matches the username is extracted from the database, and a new hash is generated from the password that has been supplied. If the two match, the user is authenticated; if not, an appropriate error message is displayed. 

You will not be able to use this form of encryption if you are storing information securely that you will need to able to use yourself such as customer addresses and credit card information. Fortunately, PHP provides programmers with a set of functions to encrypt and decrypt data via the mcrypt library. This form of encryption is not completely secure, but it is fairly powerful. Please note that in order to use the mcrypt-related functions, the library must be installed on your system and PHP must have been compiled with mcrypt support. The following section of code gives a basic example of this type of encryption and subsequent decryption:

<?php

$key_value = “KEYVALUE”;

$plain_text = “PLAINTEXT”;

$encrypted_text = mcrypt_ecb(MCRYPT_DES, $key_value, $plain_text, MCRYPT_ENCRYPT);

echo (“<p><b> Text after encryption  :  </b>”);

echo ( $encrypted_text );

$decrypted_text = mcrypt_ecb(MCRYPT_DES, $key_value, $encrypted_text, MCRYPT_DECRYPT);


echo (“<p><b> Text after decryption  :  </b>”);

echo ( $decrypted_text );

?>

This type of encryption, known as Symmetric Encryption, relies on the key value remaining a secret. This can lead to problems as the key value must be saved somewhere that the server has access to; thus, if someone takes control of your server, they could potentially locate your key and then decrypt your data. 

Some of your security controls will need to be implemented at server rather than application level. This includes tasks such as authorization, basically lists of actions specified visitors are able to perform. These are commonly referred to as ACL’s (Access Control Lists). Logging of suspicious activity is something that is sometimes defined in your server set up and is often a default setting. Logging can also be achieved via software, or functions can be written to scan log files and turn the results into html for viewing in a browser. Again, monitoring of the server is usually done via software solutions. There is a plethora of server monitoring software available that cover everything from checking that URL’s are working to error notification and site diagnostics.

Conclusion

I hope this article has given you an overview of some basic site security procedures, and has hopefully given you something to think about when setting up an e-commerce site. Obviously I haven’t covered every scenario and security procedure available.

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan