If you want to have a successful business, having a website is pretty much a must these days. 87% of consumers research products and services online first before making a purchase.
Due to the rise of platforms like WordPress and Shopify, creating new websites has become easier than it used to be. Business owners can often put up a basic site themselves to promote their offerings.
But what isn’t always apparent when going through the setup steps is how vulnerable to cyberattacks many websites are. If you haven’t properly protected your website, it can be subject to two popular attack types called “Cross-Site Hijacking” and “Cross-Site Scripting.” The two are closely related and result in the takeover of a website, your website not working properly for visitors, and other serious issues.
We’ll go through an overview of each below and the steps you can take to secure your website from being hacked.
What is Cross-Site Hijacking
Websites use a language to communicate between the user’s browser and the web server called WebSockets. This type of communication helps facilitate a fast response and enables real-time applications, so if you click a button on a site or enter data into a form, you can see the reaction instantly.
WebSockets will give servers command messages based upon the message coming from the user’s browser (i.e., their cursor hovered over this text, so display the rollover).
Cross-site hijacking (also known as cross-origin WebSocket hijacking) involves faking those WebSocket commands. This type of attack exploits a vulnerability within a WebSocket handshake request that relies only on HTTP cookies for handling a session.
Cookies are those bits of code that are stored by a website on a user’s computer so they can tell if the user has been there before, etc.
What the attacker does is manipulate that communication that happens between the user and the web server that hosts the website they’re visiting.
What Can Happen?
With cross-site hijacking, a website owner can experience fake commands that look like they’re from the user but aren’t. Dangers of this type of attack include:
- Performing unauthorized actions against your site masquerading as the user.
- Compromise of sensitive messages meant for the legitimate user, such as credit card details or other sensitive information that they may be logging in to access.
How to Prevent Cross-Site Hijacking
This type of attack happens when proper authentication isn’t in place for user sessions. It’s important to use session-individual random tokens, such as CSRF-Tokens when the user session is initiated and verify those on the webserver.
Another prevention method is to have the Origin header of the WebSocket handshake request checked on the server to ensure it’s legitimate.
What is Cross-Site Scripting
Have you ever visited a site that you know to be legitimate because you’ve been there before, but it looks like it’s been hacked because of strange text or random code showing up? That could be a case of cross-site scripting.
In this type of attack, the hacker injects malicious code into a website. When the code is accidentally executed by the victim, it allows attackers to bypass security protocols and impersonate any website users.
This is often what happens when legitimate websites are taken over by phishing. Users will land on the page and immediately have code injected into their computer from the hijacked site.
What Can Happen?
The attacker conducting this type of attack can:
- Gain access to user information, such as private messages, passwords, and cookies
- Access all content that a logged-in user can access
- Change the website content that is shown to the user when they log in
How to Prevent Cross-Site Scripting
There are several things that a website owner can do to prevent cross-site scripting code injections into their site. These include:
- Ensuring all form fields, including hidden forms and cookies, are checked and validated.
- Implementing better form security, such as putting a character limitation on form input fields.
- Set the web server to redirect invalid requests.
- Detect simultaneous logins and invalidate those sessions.
- Detect simultaneous logins from two different IP addresses and invalidate the sessions.
- Ensure your site only displays the last 4 digits of a user’s inputted or stored credit card.
- Require password entry to change any profile details, like email address.
A lot is going on with the back end of your site and its communication with a user. If you haven’t had an expert help you put the proper security in place, you and your website visitors could become attack victims which would not only take down your website, it could also lose you customers.
Get Help Securing Your Website Today!
Neuron Computers can help your company review your website security to ensure that you’re not vulnerable to a cross-site hijacking or cross-site scripting attack.
Contact us today to schedule a free consultation. Call 1-818-925-2120 or reach us online.