How are websites hacked to have their content defaced? How can I prevent such attacks on my website?
My answer to How are websites hacked to have their content defaced? How can I prevent such attacks on my website? on Quora
There are countless ways in which a website could be defaced—way too many for a single Quora answer!
Here are a few off the top of my head:
- An unpatched operating system with vulnerabilities in system services (SSH daemons, web servers, other procceses). Defence is to make sure you keep your packages up to date and avoid running anything exotic that might not be actively maintained.
- XSS attacks. Make sure you have a deep understanding of what XSS is and how it works, and ideally use a template language that escapes output by default to help avoid the most obvious problems.
- SQL injection attacks. Make sure you use a library that paramaterises SQL queries and handles escaping correctly for you, NEVER append strings together to create a SQL statement.
- Sniffing your administrative username/password or even your authenticated cookie over an insecure WiFi network—make sure you only ever send those things over HTTPS.
- Brute force attacks on your administrative login screen—make sure you rate limit login attempts.
- Guessing your server’s SSH password (or your admin interface password)—use a one-time, random password stored securely in something like 1password and ideally don’t have SSH passwords at all, use SSH public-key authentication instead.
- Serving JavaScript on the page from another URL (e.g. an externally hosted JavaScript library or an advertising network) which gets compromised. It doesn’t matter how good your own site security is if you link to insecure JavaScript from a third party.
More recent articles
- Understanding GPT tokenizers - 8th June 2023
- Weeknotes: Parquet in Datasette Lite, various talks, more LLM hacking - 4th June 2023
- It's infuriatingly hard to understand how closed models train on their input - 4th June 2023
- ChatGPT should include inline tips - 30th May 2023
- Lawyer cites fake cases invented by ChatGPT, judge is not amused - 27th May 2023
- llm, ttok and strip-tags - CLI tools for working with ChatGPT and other LLMs - 18th May 2023
- Delimiters won't save you from prompt injection - 11th May 2023
- Weeknotes: sqlite-utils 3.31, download-esm, Python in a sandbox - 10th May 2023
- Leaked Google document: "We Have No Moat, And Neither Does OpenAI" - 4th May 2023
- Midjourney 5.1 - 4th May 2023