Website Security

Having a website is a little like opening the doors of your house to the general public, and having an insecure website is like leaving this house untended, with the safe unlocked. You wouldn't do it with your home, and when a vulnerable website is attacked it can also be costly to repair the damage.

The more interactive areas there are on a site, the greater the potential for malicious attacks. Guestbooks, forums, contact forms, administration areas, and any elements that allow visitors to affect what appears on the site represent possible ways in for people with malicious intent. That's not to say that interactive elements are the only ways to break into a site, but they are often the easiest and most common ways in.

This website is hit every week by people looking for non-existent pages similar to the following:

• http://www.rosjackson.co.uk/scripts/formmail.pl
• http://www.rosjackson.co.uk/cgi-bin/formmail.pl
• http://www.rosjackson.co.uk/scripts/mailform.pl
• http://www.rosjackson.co.uk/cgi-bin/commentformmail.cgi
• http://www.rosjackson.co.uk/cgi-bin/contact.cgi
• http://www.rosjackson.co.uk/cgi-bin/formmail/formmail.cgi

No, scrub that. It's not people looking for those pages, but bots. Those bots are programmes designed to crawl the web in search of pages which are likely to contain certain vulnerable email scripts. Spammers are sending out these bots in their thousands in order to find ways of using other people's websites to send their junk email for them.

The majority of these bots are looking for a script called Formmail which is commonly used to send email direct from a website. Older versions of this script had a vulnerability that would allow spammers to hijack it in order to send their own email from someone else's site.

So it's not good enough think that the crackers won't find you because you have a little-known site. They have plenty of tools to help them.

Another common problem is simply failing to password-protect certain areas, in the belief that these places will not be found. Yet what a lot of webmasters don't realise is that the addresses of these secret places can leak out fairly easily, and can even end up in the search engines. So how do these leaks take place?

When you click on a link, most browsers will send out what is known as a referral string. This tells the owner of the destination website where the visitor has come from. For example, if you arrived here from the Web Development Articles page, the referral string would be

http://www.rosjackson.co.uk/developmentarticles.php.

And if you set up a secret page at

http://www.example.com/poiuytrewq/topsecret.php

thinking that no-one would ever guess that address, and then clicked on a link on the page to go to another site, that page could appear in somebody else's site statistics. The cat would be out of the bag.

This leakage of addresses is one of the reasons that security by obscurity can't be relied upon. If you run a search for "referrers" or "Webstat" in any search engine you will doubtless find hundreds of pages of other people's statistics, which many people choose to leave public. This means that a hidden page can quickly find its way onto a search engine and available to everybody.

The subject of website security could fill several volumes, and new ways of attacking websites are being dreamt up all the time. I've only touched briefly on a few problems, and really they are the tip of the iceberg. No site is 100% invulnerable, and it's often said that security is an ongoing process rather than something you can do once and forget about. However, defences against many common methods of attack can be learnt. Surprising numbers of sites are vulnerable in fairly obvious ways, through simple matters such as a lack of password protection or poor password choice. If you are happy to assume that your site will fall under the radar of malicious crackers, now is the time to be making backups.