Web Development



How to fixup website vulnerabilities?

By Emerald007 ·
Can anyone help me in preparing a checklist for a website security audit. here my major concern is about :
registered members info should not be leaked eg their email id and pwd.
prevent website from being hacked
i have stored the data in database using double encryption method. Now my query is suppose someone is able to get into website database, can he decode it?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

The whole point of encryption is so that no one can decode it.

by seanferd In reply to How to fixup website vuln ...

That being said, if a weak encryption algorithm is used, or the key is left somewhere a site cracker could find it, then decryption is possible.

In general, don't leave default settings on your database, webserver, and other applications. Follow best practices for the platforms and lock everything down. This stuff is extensively covered aside from official software documentation. People make a living addressing a writing about these security issues.

Critical: If this db has a public interface, you must sanitize query strings to avoid things like buffer overflow attacks.

Whether hosting the site in-house, or with a web host, you also need to make sure the administrative interface is secure, and definitely not a known-vulnerable version.

That's the short version. When looking up information or asking further questions, be specific about the software you are using. Version and patch level matters, so have that info handy when diving in deeper.

Collapse -

OWASP security top ten is a good starting point

by robo_dev In reply to How to fixup website vuln ...


Not sure what 'double encryption' method is....

Since the web application can read-write to the database, he who owns the web application can own the database.

Encryption only helps if an attacker compromises the server at the OS level, and copies the whole database. Then, your encryption *may* slow him down a bit, depending on exactly how it has been implemented. It also may help in the case where the attacker has gained low-level access and is trying to gain privilege escalation or otherwise breach a security boundary.

If, for example, your encryption depends upon static keys stored in unencrypted stored procedures, then the attacker could decrypt this easily. Similarly, if the decryption depends on the web application, and there is a flaw that allows for source disclosure, then it's game-over as well.

In other words, the 'devil is in the details'. If your database is triple-encrypted but it's on an unpatched IIS server, then the database connection string that unlocks the whole database is only a click away for the attacker.....

Collapse -

Reponse To Answer

by Emerald007 In reply to OWASP security top ten is ...

@robo_dev and @seanfred : many thanks for replying, got some more clues definetly will help me in more digging....

Related Discussions

Related Forums