In this series we walk you through the steps that will enable you to create a secure functional Website. As a case study we mention how we have created this website and what are the special features in this site.
Where is Web technology heading today? There exist numerous avenues to allow and facilitate even the most novice users and developers to put up their work on the Internet. Any user of the world wide web can publish their work with the help of websites and blogs. However, most novice users are almost always susceptible to security threats on their crudely built websites/ blogs. Where you will find plenty of step-by-step tutorials on publishing your work or sharing your favourite projects online? You will find the “Internet” lacking in a basic guide to building websites for ensuring the security for your online activities.
This tutorial aims to address the issue of “Building a website capable of publicizing one’s work and secure enough preventing threats from hackers or intruders”. In other words, we present to you a guide for making your own “secure, functional” site by telling you about how we made our “secure, functional” site containing many more such tutorials on ongoing information security research and our completed projects.
A walk through this article will aid you in building a nice handy website fully functional to meet your need but secure enough to protect your credentials.
Some of the questions you must answer when you decide to build a website are:
- What is the content of the website? How am I to present the content?
- Who will use it? Who is most likely to visit it?
- What services do I need to provide to my user? (Logins, Comments, Access Capabilities)
Once these are answered, then you can head towards deciding how to go about building the website. You can start building it from scratch, write your own HTML, CSS ,PHP scripts and provide your own tables to access… but why go through all that trouble when technology provides you with tools to easily leave your mark on the Web?
Out of many tools available for building a website; content management systems like Joomla,WordPress, Drupal, Flash, JQuery for enhanced contents, and combinations of html editors and graphics editors will help you to quickly build a fancy website. Some hosting service providers like Hostgator also provide a free site builder that you can use to build your site.
We chose WordPress to get going. WordPress is an open source Content Management System (CMS), often used as a blog publishing application, powered by PHP and MySQL. It has many features including a plug-in architecture and a template system. WordPress:
- Has a web template system using a template processor.The PHP and HTML code in themes can also be edited for more advanced customizations.
- Features integrated link management, a search engine-friendly, having the ability to assign nested, multiple categories to articles; and support for tagging of posts and articles.
- Includes automatic filters, providing standardized formatting and styling of text in articles.
- Supports the Trackback and Pingback standards for displaying links to other sites that have themselves linked to a post or article.
- Has a rich plugin architecture which allows users and developers to extend its functionality. Users can re-arrange widgets without editing PHP or HTML code. They can also install and switch between themes.
Using the different plugins and themes offered by WordPress we developed this site
As the main objective of the website is to provide the users with a platform for their research projects and articles.The website provides a nice user friendly GUI. The website’s architecture is framed in such a way that it will enable the users to navigate through the website easily, with the help of quick access links provided on the panel. Under each category like articles, projects, tutorials,etc. different posts are available for the users to view and/or edit and/or comment upon.
Other than that the site provides several features like interaction with social networking sites like Facebook, Twitter, etc. Connections to these social networking website helps in promoting the work done by the research students, making links to their work readily available to many people visiting these sites at any point of time.
We have an active Facebook page for Security Research, the company for which this website was created, through which contributors and viewers alike can keep themselves updated about most recent posts. We also have a twitter feed where followers can receive our newest updates. We use YouTube to embed tutorial and any other article-related video, thus saving us the overhead of managing space for them and tracking them.
Our website will keep track of how many people are visiting our website,which links they are following and what articles they prefer to read, etc. This can be put up in the form of an Analytics Report generated for the administrator to refer to in order to improve the quality of website. The feature that will aid the analytical reports to be generated is WordPress Google Analytics tool.
Google Analytics is the enterprise-class web analytics solution that gives you rich insights into your website traffic and marketing effectiveness. Google Analytics reports are auto-generated using the user activity on the website. Google Analytics monitors your reports and automatically alerts administrator of significant changes in data patterns. Every time a page is visited on the site, the plugin logs information about the person who visited the page. Data that is tracked by plugin includes IP address, the HTTP referrer, the time of the click, User ID, User Level, Display Name, Browser, Operating System, and the page user is visiting.
Other facilities like sharing the article on various social networking sites like Digg, StumbleUpon, etc are also available. To provide a video uploading facility on the website we are piggybacking on technology from YouTube, usingYoutube Insight. YouTube Insight is YouTube’s analytics and reporting product that enables anyone with a YouTube account to view detailed statistics about the videos that they upload to the site. This tools enables the user to keep track of the number of views,hits, downloads for his video which can be used to design and implement the promotion strategies.
To deal with the security aspect of the website for providing protection against SQL injection attacks, XSS attacks, DDoS attacks,etc some additional scripts are to be included in the basic design of the website.
- SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. WordPress comes with protection from SQLI via client side validation.
- Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. These XSS attacks can also be performed to steal the cookies from the client browser and send it to an attacker’s malicious domain. But these attacks have been taken care of in our website by implementing the necessary filters such that no script codes are allowed in any post by the user.The users are not allowed to post comments in the form of html scripts which can act as a potential carrier of XSS attack codes.
- Spam attacks are one of the threats to websites. Many autobots launch automated attacks on a vulnerable website bringing down the service provided by the website. This attack has been taken care of by using Captcha and Administrator Moderation. The admin moderation helps to prevent the unnecessary comments and posts generated by the autobots (spam) thus preventing the DOS (Denial of Service) attack on the website.
Other than above mentioned features some advanced security aspects included in the website are:
- A One Time Password scheme is used by the admin to generate temporary passwords valid only for one login session for the user wanting to edit or add posts. After the temporary user logs out the password is no longer valid and hence prevents any hacks or malicious use of a provided username and password.
- A Captcha is a type of challenge-response test used in computing as an attempt to ensure that the response is not generated by a computer. Captchas are used in attempts to prevent automated software from performing actions which degrade the quality of service of a given system, whether due to abuse or resource expenditure. Captchas can be deployed to protect systems vulnerable to spamming. Captchas are also used to minimize automated posting to blogs, forums and wikis, whether as a result of commercial promotion, or harassment and vandalism. In our website, Captchas appear in the comments section after posts/articles and on the login page (after three incorrect attempts) to ensure that the person attempting to log in is human.
- Access Control (different access permissions for different users) is required as there will be different types of users visiting pages, editing the posts and commenting on the articles. It is made possible by different types of login accounts like an admin user, a temporary user, user with few privileges, etc.
User controls on the built website:
Admin can track any sort of user activity on the site monitoring his data like browser used, OS, IP address, time of operation, certain other activities like mouse click events, etc. All this information is made available to administrator to monitor any malicious activity by an attacker, if any. Other than that, on the dashboard (provided by WordPress for management), the admin can view the recent posts or comments on the articles to be moderated. Analytics reports can also be viewed by the admin to track mass user activity.
The admin can specify the categories under which a particular article or project has to be uploaded and may grant different kinds of access rights to different kinds of users. Each project has an owner with permission to edit only articles / posts / comments under that project.
The admin can monitor the use and behaviour of the different plugins used to build the site and enhancing its working and security and can generate the one time passwords to be given to the temporary users to allow their temporary access to edit or upload certain articles and projects. The owner of each project / category of articles can edit these articles as well as moderate comments made on these articles.
Temporary User controls:
A temporary user is granted access by One Time Password generation, and is only allowed to view the posts and articles and post comments on them. No other privilege is given to such a user. Once logged out of the session, this user is not allowed to use the same password for future logins.
This article seeks to aid those interested in building a “secure, functional” website resistant to hacks and malicious usage, and capable of providing all functionality required from social networking to blogging to video uploads. The website architecture discussed above covers the user interface and the rest of the report covers how to make this interface stable and secure. Thus, a content manager combined with apt plugins and scripts can be used to quickly and efficiently build a secure and functional website.