First and foremost, the very nature of the web code \u2013 HTML! HTML is a clear text language which is visible to anyone visiting the site. Hackers can easily modify the code and add functionalities that either act differently or obstruct existing functionality. Hackers can infiltrate code in the following ways:<\/p>\n
- \n
- Injection<\/em><\/strong>:<\/strong> The attacker injects malicious code into the web code. This malicious code is written to extract information from the client\u2019s computer or device for unscrupulous use.<\/li>\n
- Cross Site Scripting (XSS):<\/em><\/strong> Here the hacker inserts a script into the code that is run at the client\u2019s site. This script may be for extracting information or providing misinformation in order to undermine competition.<\/li>\n
- Identity Theft:<\/em><\/strong> Here the attacker assumes the identity of the user and accesses important or sensitive data. The hacker then can use this data to cause inconvenience or loss to the user.<\/li>\n
- Direct Object Reference<\/em><\/strong>: <\/em>This type of risk occurs when objects such as tables within a database are directly referenced in the URL. The hacker can use this object to access related objects within the database.<\/li>\n
- Uuencoded or insecure cryptography:<\/em><\/strong> Sensitive data such as credit card information and bank details may be hacked by corrupt persons if they are stored, or travel over the internet, uuencoded or encoded in a simple and easy to break code.<\/li>\n
- Insufficient Layering:<\/em><\/strong> Applications that do not encrypt and decrypt data or authenticate users, or check certificates, may be used by hackers to gather personal data of the users.<\/li>\n<\/ul>\n
How to avoid these risks<\/strong><\/h4>\n
The above list is by no means exhaustive but does cover some major areas of vulnerability. Programmers, developers, and web designers can counter these vulnerabilities by being aware of them and including code that will look out for malicious code.<\/p>\n
Basic Security Practices for Web Applications:<\/strong><\/h4>\n
- \n
- Applications use data entered into forms to access databases. If this data is validated before accessing the database, injections can frequently come to light. Proper validation can also detect malicious scripts entered into the code.<\/li>\n
- Coders must assume that any data entered by users is untrusted. All inputs must be validated before use. Checking for type, length, format, and range are the common ways in which inputs are validated.<\/li>\n
- Identity thefts and broken authentications can be prevented by forcing a user to re-login even though he has not explicitly logged out. When a user logs in to a site an id is created. If this id is created using a predictable formula, hackers can \u201csteal\u201d that identity and resend it to access client information. Generating random id\u2019s is the best way to avoid risks of identity thefts.<\/li>\n
- Randomizing ids can also mitigate attacks due to direct object reference. In fact, databases should never be directly accessed by user entered data. Applications should validate and clean data before accessing databases.<\/li>\n
- Most importantly, the infrastructure used to run applications including hardware, software, OS and other components must be secured.<\/li>\n<\/ol>\n
- Cross Site Scripting (XSS):<\/em><\/strong> Here the hacker inserts a script into the code that is run at the client\u2019s site. This script may be for extracting information or providing misinformation in order to undermine competition.<\/li>\n
![\"Security](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/2015\/09\/Banner_06.jpg\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"