The Hostway Blog

Keep Visitors Safe when they Post on Your Site

Recently, there have been several news stories about the Web sites of huge businesses being hacked and their user information compromised. When this happens to a large department store or other well-known business, it is definitely headline news. However, 80 percent of attacks on Web sites target very small businesses.

Allowing Comments Engages Visitors

Allowing visitors to comment on your Web site can be a valuable marketing tool and can draw new visitors to the site as well. Commenting or uploading content to a favorite site gives visitors a feeling of belonging and community and will keep them returning time after time to check for updates, news and add new commentary. However, it can leave your site, and your visitors, vulnerable to attack.

Common Attack Method

One common cross-site scripting attack, XSS, threatens the privacy of proprietary information. This method uses JavaScript to steal information and delivers it to the hacker’s computer. Cookies stored on the Web site computer are the usual targets. When the script is read and run by the computer, the hacker can receive all types of private data such as administrative passwords and visitor data.

Is My Site Vulnerable?

It is difficult for a Web site owner to really know who is uploading content and comments to the site. A nefarious visitor can post a comment embedded with HTML code. The code may contain a JavaScript with instructions to steal cookie information. The user submits the comment and it sits in line with other comments waiting for approval. The site owner then logs on with administrative rights and reviews the comments. As he opens the comment left by the hacker, the malicious script executes silently by the Web browser and collects administrative login information. This packet of data is then sent to the hacker’s computer or site. The hacker can now login to the vulnerable Web site and download account information and all customer/visitor data.

Prevention is Best

The first step is to know who is commenting on the site by requiring visitors to create an account before being allowed to add content. The easiest way to prevent attacks is to not allow visitors to post HTML code when commenting. There are inexpensive programs that will strip any HTML code or other markup language from user content. However, some Web site owners would like to allow visitors to be able to include HTML code in their comments for a variety of reasons. The Web site developer can include code that will disable user uploaded HTML code until it has been reviewed and cleared by the administrator. Make certain all computers associated with the site have all software updates in place. Invest in inexpensive, real-time scanning tools that will scan user content and check for suspicious code and spam.

Taking these simple measures to protect private data will go a long way toward building customer confidence and cyber-reputation of your Web site.