Hi guys im back with some information im sorry iget alot of message but icant answer all of them at right time as you want because im kinda busy hope you dont worry if im answer you late
OK lets start to how to protect our website or online service from bad guy.
First anything in technology have a weak point & bug so bad guys are anywhere the want to try break your service some of them for (Leak database) some of them for (Session hejacked user like bank account or paypal account) so when you have a website or develope a website by your self you need to do something in your code to protect your hard work or your customer or yur user or etc.
First rule never trust user input/there browse on your website
First technic (CSRF token protection)
This technic are use in meduim or large application like (Bank Website,Online Shoping,Gambling Website,much more) this generate a encrypted (hash) version of the user session in browser for each request send by user ,Lets i want send 10$ for my friend name (Bobe) when im enter the amount & her address in the hidden field the csrf token are generate for this request if the csrf token valid with server token then the input will be process after the input accept without problem then this token should be or must expired & generate new one because if the bad guy try to resend this requset without validation of csrf token or maybe the user browser session have been hejacked by bad guy then amount will be resend so you need generate token for each requset by user and validate the token to protect both your website or your user.
SQL Injection (The most hacker technic to leak database)
SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string. The variable is fetched from user input (getRequestString):
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:
UserId:
Then, the SQL statement will look like this:
The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
Does the example above look dangerous? What if the "Users" table contains names and passwords?
The SQL statement above is much the same as this:
Use SSL/TSL protocol (The security layour betwen user browser/network with your server)
Today modern browser detect website protocol if the website use standard HTTP protocol then they give you a red banner because any data with normal HTTP can be intercept or bad guy user can see whats happend when they send the data for your server backend but when you use SSL or TSL all of requset are encrypted then sended to server then server decrypt the reqeust then accept the request.
Limtit User request (For login)
we have a simple technic call (Brute force attack) the bad guy give the tool a huge amount of word list or password list then they request the username/password random until the script detect the right one or correct one,Make sure your user login request are only for 3 time then limit the request about for 30 Minute or maybe 1 hour to protect your website from this attack.
dont use some shit CMS script
Why all of the wordpress website are most hacker target because every algorthim of this web script are public like (Admin section are stored on folder called wp-admin) so this not secure theres some way to hide this folder or blocked for restrict but we have a bad guy the easly can hejacked your admin section of just use some tool or crawler to detetc the right location.
Use WAS (This some time called website or server firewall)
Most of the website use cloudflare because the provide both (Firewall & cdn) website firewall are hide your real server ip with some reverse proxy ip so your real web server ip are safe when the want ddos on your website or even try to run some trick command to make your website be exploited then the firewall are ignore the request then blocked & if the bad guy use bot net or large network to attack your service your real server or website are not shutdown because all attack are send to the reverse proxy like your cloudflare so your cloudflare service are down not your raal one.
i hope give you some trick to protect your hard work & your mission im promise in another day i will explain web security much more & with practic i hope you always all of you stay safe & stay your service safe.
sorry if imake a mistake or not introduce the topic as much you want
if you have any qustion or want anything just send me a pm
OK lets start to how to protect our website or online service from bad guy.
First anything in technology have a weak point & bug so bad guys are anywhere the want to try break your service some of them for (Leak database) some of them for (Session hejacked user like bank account or paypal account) so when you have a website or develope a website by your self you need to do something in your code to protect your hard work or your customer or yur user or etc.
First rule never trust user input/there browse on your website
First technic (CSRF token protection)
This technic are use in meduim or large application like (Bank Website,Online Shoping,Gambling Website,much more) this generate a encrypted (hash) version of the user session in browser for each request send by user ,Lets i want send 10$ for my friend name (Bobe) when im enter the amount & her address in the hidden field the csrf token are generate for this request if the csrf token valid with server token then the input will be process after the input accept without problem then this token should be or must expired & generate new one because if the bad guy try to resend this requset without validation of csrf token or maybe the user browser session have been hejacked by bad guy then amount will be resend so you need generate token for each requset by user and validate the token to protect both your website or your user.
SQL Injection (The most hacker technic to leak database)
SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string. The variable is fetched from user input (getRequestString):
SQL:
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;SQL Injection Based on 1=1 is Always True
Look at the example above again. The original purpose of the code was to create an SQL statement to select a user, with a given user id.If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:
UserId:
Then, the SQL statement will look like this:
SQL:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
Does the example above look dangerous? What if the "Users" table contains names and passwords?
The SQL statement above is much the same as this:
SQL:
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;Use SSL/TSL protocol (The security layour betwen user browser/network with your server)
Today modern browser detect website protocol if the website use standard HTTP protocol then they give you a red banner because any data with normal HTTP can be intercept or bad guy user can see whats happend when they send the data for your server backend but when you use SSL or TSL all of requset are encrypted then sended to server then server decrypt the reqeust then accept the request.
Limtit User request (For login)
we have a simple technic call (Brute force attack) the bad guy give the tool a huge amount of word list or password list then they request the username/password random until the script detect the right one or correct one,Make sure your user login request are only for 3 time then limit the request about for 30 Minute or maybe 1 hour to protect your website from this attack.
dont use some shit CMS script
Why all of the wordpress website are most hacker target because every algorthim of this web script are public like (Admin section are stored on folder called wp-admin) so this not secure theres some way to hide this folder or blocked for restrict but we have a bad guy the easly can hejacked your admin section of just use some tool or crawler to detetc the right location.
Use WAS (This some time called website or server firewall)
Most of the website use cloudflare because the provide both (Firewall & cdn) website firewall are hide your real server ip with some reverse proxy ip so your real web server ip are safe when the want ddos on your website or even try to run some trick command to make your website be exploited then the firewall are ignore the request then blocked & if the bad guy use bot net or large network to attack your service your real server or website are not shutdown because all attack are send to the reverse proxy like your cloudflare so your cloudflare service are down not your raal one.
i hope give you some trick to protect your hard work & your mission im promise in another day i will explain web security much more & with practic i hope you always all of you stay safe & stay your service safe.
sorry if imake a mistake or not introduce the topic as much you want
if you have any qustion or want anything just send me a pm
