Simon Willison’s Weblog

How are websites hacked to have their content defaced? How can I prevent such attacks on my website?

4th December 2012

My answer to How are websites hacked to have their content defaced? How can I prevent such attacks on my website? on Quora

There are countless ways in which a website could be defaced—way too many for a single Quora answer!

Here are a few off the top of my head:

• An unpatched operating system with vulnerabilities in system services (SSH daemons, web servers, other procceses). Defence is to make sure you keep your packages up to date and avoid running anything exotic that might not be actively maintained.
• XSS attacks. Make sure you have a deep understanding of what XSS is and how it works, and ideally use a template language that escapes output by default to help avoid the most obvious problems.
• SQL injection attacks. Make sure you use a library that paramaterises SQL queries and handles escaping correctly for you, NEVER append strings together to create a SQL statement.
• Sniffing your administrative username/password or even your authenticated cookie over an insecure WiFi network—make sure you only ever send those things over HTTPS.
• Brute force attacks on your administrative login screen—make sure you rate limit login attempts.
• Guessing your server’s SSH password (or your admin interface password)—use a one-time, random password stored securely in something like 1password and ideally don’t have SSH passwords at all, use SSH public-key authentication instead.
• Serving JavaScript on the page from another URL (e.g. an externally hosted JavaScript library or an advertising network) which gets compromised. It doesn’t matter how good your own site security is if you link to insecure JavaScript from a third party.