Top 5 Security Checks for your Website

Today just building up a website doesn’t help until you know how you can manage it. So before your website is getting into limelight, just be sure that you know how to fight hackers and spammers.

Here are the top 5 security guidelines for you to make your environment more secure and not letting it in the evil hands.

1. SQL Injection

SQL Injection is a vulnerability in which the attacker intends to change the structure of backend SQL statements by injecting carefully crafted SQL commands/statements through poorly validated HTML Input fields/parameters (taking advantage of insecure code) to:

1. Steal Update & Delete information present in a database.


2. Cause Denial of Service attack on a web application by shutting the database.


3. Bypass authentication mechanism of a web application.

How to avoid SQL Injection:

1. Use parameterized queries/stored procedures/bind variables to access a database and avoid the use of Dynamic SQL queries.


2. Validate all the user supplied input to your web application for type, length, format and range before exposing the values to your backend (database) logic.


3. Enforce a strong centralized & customized error handling mechanism in your web application and do not display the database errors to the end users with sensitive information like table names, fields, database drivers, sql statements, etc.

2. Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF)

Cross Site Scripting (XSS) is a security exploit in which the attacker intends to execute malicious script\code (constructed using JavaScript, VBScript, ActiveX, Flash, HTML etc) on the victim’s browser by taking the advantage of poorly validated data input points\HTML parameters (taking advantage of insecure code) to:

1. Compromise or steal user’s sensitive information (SSN, Credit Card No.)\Session hijacking.


2. Cause Cookie theft (Account hijack)\Cookie poisoning.


3. Cause Denial of Service attack by executing malicious codes (viruses) on the end-user systems.


4. Cause defacement/modification of Web appearance.

How to avoid XSS and XSRF

1. Always Encode data that is received as input when you write it out as HTML. This technique will be effective on data that was not validated for some reason during input and contains malicious script/payload.


2. Validate all the user supplied inputs as before.


3. Try to use POST parameters instead of using GET parameters


4. Always check the HTTP Referrer header before serving a page.


5. Provide short time period for user sessions.

3. HTTP Response Splitting

HTTP Response Splitting is a kind of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize user input values.

How to avoid HTTP Response Splitting

1. Validate all the user supplied input to the web application for type, length, format and range.


2. Parse all user inputs for HTML and Scripts.


3. Don’t provide execute permission to user uploads.

4. Canonicalization Attacks

A canonicalization attack occurs when someone enters a filename requesting a file they are not allowed to access or overwrites a file they are not authorized to overwrite.

Canonicalization attacks may result into:

1. Loss of confidentiality if files are deleted.


2. Loss of integrity if files are removed.


3. Denial of Service attack on the application/system if the file is deleted.

How to avoid Canonicalization Attacks

1. Ensure that the web server hosts on a secure file system like NTFS.


2. Set Access Control Lists on files and folders.


3. Do not keep sensitive files, source code or any such material on the web server machine.


4. Application developers will need to white list directories that application will be requiring to access.


5. Use regular expressions to control the file\folders that can be accessed.


6. Reduce UTF-8 encoding to its canonical form

5. Privilege Escalation - Cookie Manipulation

Web applications normally use browser cookies to save user information which eventually helps the web application to determine the privileges of the user and based upon this grants the user access to the functionalities present in the application.

An attacker can use this technique to

1. Manipulate cookie values to fraudulently authenticate them to a web site.
   Escalate privileges to access functionalities which they are not authorized to access.


2. Compromise another user’s profile.

How to avoid Cookie Manipulation

1. Avoid storing sensitive information in cookies and use session variables to store this information on the server side.


2. Use one session token to reference properties stored in a server-side cache.


3. Another technique involves building intrusion detection hooks to evaluate the cookie for any infeasible or impossible combinations of values that would indicate tampering.


4. Encrypt the cookie to prevent tampering.


5. Use HTTPS (HTTP over SSL) which encrypts the information that are transmitted via the communication channel.

7 Tips To Protect Your MySpace Account Hacking

Today social networking platform has been very interesting. Ya, both for users and hackers. Being Open Social environment, Social Networking sites had always been a preferred choice for novice hackers to try out some cool, or should I say ugly, hacking techniques. Being in a risk prone media, you are the one who is responsible for your security. So here are some useful guidelines to keep yourself safe across all these.

Always check the Address of the site (URL) where you are logging in: This is absolutely necessary whenever you are not opening MySpace by typing the URL as http://www.myspace.com/.... Specially when you are being redirected to a MySpace Login page, then you must be aware of the page where you are putting your username and password. This is one of the oldest hacking techniques that several people use to try upon novice Internet users. So whenever you are asked to log in to MySpace by any other page, always remember to check the url in the address bar of your browser to verify whether you are really logging in to MySpace only.

Avoid any suspicious link: If you are not much sure then don’t endanger yourself there. You never know how these links can easily do remote installation of keyloggers that will record your keystrokes and inform the hacker about it. Just because your clicked on a possibly harmless link.

Avoid much sensitive information in your Public Profile: If you are making up your profile private with lots of internal information, there are actually numerous ways to find a fault in the privacy measures of these social networking sites and then your information can be in the wrong hands. Better to share your information on more secured media.

Avoid External JavaScript to Run on your Browser: JavaScript is the best choice for Hackers. A single line JavaScript can do a hell lot of things which are not funny at all, including cookie stealing, session sharing and various techniques where Javascript can harm you even before you will ever know.

Strengthen your Password: Is your password is strong enough that you think you may forget it much often? No no, I am not asking you to forget your password. I am trying to know whether it is something that easily relates you. Do not use only numbers or only letters. Use both as a combination in random. A weak password is easily traceable and also don't prefer to have even personal information inside a password.

Avoid downloading files unless You are Sure: Do not download a file (especially. .exe, .rar .zip, .htm or .bat files) unless you surly know about the content inside. Still if you are downloading one, then make sure that you have good anti-virus and anti-spyware software to guard you against any kind of attack, if happens. Do not trust a suspicious downloadable file even if it comes from a friend. He may never know that he has sent it.

Beware of Spams: Social networks like MySpace rely on users to enrich the experience by posting content such as pictures and video (as well as links) and then sharing the content with their contacts. Spam-based social networkers will go to other people's comment threads, for instance, and chime in with links that, if clicked on, will install malware. So beware of that too.

So with these things taken care of, you can expect a better and secure web platform for your social networking.

Make your own website for free – just now!!!

Web is going to be the platform o future computing and networking. So why are you standing behind? Make you own website and mark a position among millions of people around the world. Today a web presence has become the signature of elegance and intelligence. But if you are thinking that you are not able to afford those high server costs then you are getting frightened in vain. Now you can easily make your own website for free. Ya! it’s that easy and realistic as I said it. Today we have several good web hosting service providers who offer their basic plans for free and you can avail them reliably to start you own website.

If you are hesitating that you do not know the steps that you need to follow to have your own website for free, then you can easily use the automatic site setup wizards which the web hosts provide you. In this way it’s so easy that even you grandmother can setup a website for her. You don’t need to have any programming skills or any site management knowledge. You just need to know your preferences.

So what you are waiting for? Go and make your own website for free today and utilize it to have your own web presence, to have your own next generation identity, to have some extra income, to mark your presence, to keep yourself updated with advanced trends. I bet, once you start having your own website, you can’t have just one. You are going to have several websites with new ideas and will love the way they grow.

Facebook also Doesn’t Support Opera - Is Opera Abolished?

Is Opera going to be abolished very soon? It was my first thought when I saw that I can’t login to Facebook on Opera. You can’t even type in your Email address in the login field of Facebook, while you are on Opera! I am sure that Facebook knows this and is fine with it. So is it an indication that like several others, Facebook also doesn’t care about Opera users.

When Yahoo! preferred to put Opera out of their supported browsers list, may be that was the mere beginning. A beginning of the end of Opera? Google also doesn’t support Opera for many of its applications. So is it a harsh truth that in the age of Web Applications, Opera is going to be abolished by all?

It is not an astonishing fact that a browser which has the lowest performance with JavaScript will not be a winner of the browsers war. And may be the end of Opera is heading soon. But still I think Opera has a considerable share for Mobile Apps. Opera mini may be much more successful in this matter. Opera for mobiles has reached million of mobiles and is running quite fair till now, though Google Chrome and Safari are also not much behind in this matter.

Whatever be the end result, it again shows the moral that whoever is not going to update and refined with respect to the variable needs of time, will be abandoned.

How to enable cURL support for PHP in Apache on Windows

So you want to enable cURL in your Apache Server? It is really easy and simple. But first you should check whether you have cURL already enabled on your server. Here is a very simple way to check:

Create a phpsetup.php file and put this code within it:

<? phpinfo(); ?>

Now view that phpsetup.php page from your browser and you will get all the details of your PHP setup on your server. Search for the “cURl support”. If you can’t find it then cURL support is not enabled on your system. But if you can find it and it shows “enabled” then you already have cURL enabled on your system.

So now if cURL is not enabled on your system then you can easily enable cURL by the following method:

Locate the following files:
bin\apache\apache2.x.x\bin\php.ini
php\php.ini
php\phpX\php.ini

Search for ;extension=php_curl.dll

Remove the semicolon at the starting of the line. Removing the semicolon makes the line uncommented and enables it.

Generally in most cases, just editing the first php.ini file which is in bin\apache\apache2.x.x\bin\php.ini, enables cURL on your server. But if editing the first file doesn’t enable cURL then you will need to edit the other files too.

Now just restart your Apache server and your cURL has been enabled on your server.

Check your phpsetup.php page again and search for the “cURL support” to verify if curl has been properly enabled.

How to find unused CSS classes and selectors within a website

Many times we think of using some class or id within a CSS but later on decide not to use them finally. But several times we forget to delete those classes from the CSS file. This may not be a problem for sites where the use of CSS is very less. But this may be accountable for much junk lines within your CSS which are unnecessary and unwanted.

Many times it happens that we use more than one CSS files for a site or application and copy many unused classes or ids. This way the amount of code loaded every time becomes a much considerable value. These unwanted CSS selectors should be deleted from the CSS files. To delete those unused CSS selectors you first need to identify them.

Sitepoint has released a very good tool for this purpose. Dust-Me Selectors is a very useful Firefox Extension which helps you to easily identify those unused CSS selectors. It also has some added advantages. It understands the different ways to include and import CSS files within webpages and also can check inline CSS styles. Importing stylesheets within the IE Conditional Comments is well parsed by this tool. It also understands well known CSS hacks. You can even check a whole site directly with this tool. Just install this Dust-Me Selectors Extension to your Firefox browser and remove the junk codes within your CSS, if any. Make more clean and useful CSS from now.

Puzzled with Web Hosting Providers – Choose the Best Web Host for You

Are you planning to have your web presence or got pissed off your present Web Hosting provider and looking for a new Web Hosting Provider? So you would be looking here and there searching for different Web Hosting Providers and their reviews from different users. But as many sites you see and as many reviews you read, you are definitely going to be more confused and puzzled about them. Many times it’s really hard to come to any decision. Because the whole world is neither White nor Black, there are lots of shades of Gray. Try Web Hosting Geeks.

So you may have seen many Web Hosting providers and many sites regarding them. You also may have gone through several reviews and testimonials about those providers. But now try something on the Web Hosting Geeks. Here you will find easily understandable information at a glance as well as in details. Every user here is experienced and knows what he/she talks about. So reviews here are much likely to be more accurate and helpful.

The best thing which I like about the Web Hosting Geeks is the overview on the homepage. It gives much useful information about the top web hosts we use to talk about. Then the most interesting reviews are the green hosting reviews which enlists the top Eco-Friendly Web Hosting Providers, which is a very good initiative to improve our environment. I think people must go for more Eco-Friendly service providers which has lots of benefits by itself.

So use this helpful service of Web Hosting Geeks and resourceful information of real life users to decide which Web Hosting Provider you are going for.