The world wide web is a dynamic, exciting place to launch a new business or promote your organization's message. It's also a lawless landscape in which black hats – crackers, hackers and other on-line evil doers – roam with very little oversight or law enforcement.
And that means it's up to every site owner to ensure that his or her site is defended against intrusions, code injections and other forms of attack. There's plenty of software to help keep hackers out of your desktop pc, but what about your hosting service? How can you protect server-based data?
Top-tier web hosting firms design proprietary hardware and software protection to ensure that your business is secure. But site security doesn't stop with impenetrable firewalls, spam zappers and e-mail scanners. In fact, if you go with a hosting service that isn't up to speed on the latest forms of hacker attackers, you could quickly find your site is no longer under your control!
Great hosts "harden" their server systems to deter and deflect known exploit points in the software the servers run and in any client-site's code! There is where the value of quality hosting comes into play .
XSS Attacks
XSS stands for cross site scripting and it poses a threat to even the most secure sites because XSS exploits vulnerable hardware and software holes that allow black hat SEOs to circumvent commonly employed security systems. In an XSS attack, black hats inject malicious HTML script into site pages of other domains. They do this for two reasons.
First, in some instances, black hats inject undetected scripting into competitor sites to taint these sites when SE bots spider them. Imagine, a competitor is able to access your site's code, insert invisible text (at least invisible to you) and, when an SE bot discovers this invisible text, your site is slammed. Even banned from Google. Don't think it can happen? It closes down on-line businesses daily.
So what kind of attacks can be "planted" on your site? There are plenty:
- Redirects take visitors to another site as soon as they reach yours.
- Overloading alt tags, meta tags and other interior coding with keywords, sometimes called keyword stuffing.
- Inaccurate or misleading keywords inserted within site pages.
- Cloaking, which detects search engine spiders and changes site text to improve PR.
- Pagejacking, the practice of stealing site content, can not only cost you in sales, it can also slam your PR because your content isn't "original" any longer.
Any of these black hat SEO tactics and more (spamglish, links farms, virus injections, etc.) can and will do severe, if not irreparable, damage to your on-line enterprise. Why?
SE Bots Are Brainless
SE spiders are dumber than a box of rocks. They're unable to discern legitimate text from a malware injection. They rely, solely, on automation to assess and categorize a site. There's no subjective analysis. Just text strings that are sorted completely by brainless bots.
A competitor, using one of the XSS attacks listed above, exploits to "de-optimize" and make it appear that you're using black hat SEO tactics, or can gain access to your site through a web browser and/or inject toxic data to devalue your content.
Google Penalties For Black Hat Tactics
The purpose of any search engine is to deliver relevant, useful SERPs to users' queries. So, when a Google bot discovers what it perceives as an attempt to falsely increase value, the site may suffer serious, site-threatening sanctions.
Some of these penalties may be imposed without you even knowing about it – until you discover that site revenues have dropped 75% in two days as a result of lost rankings and traffic! A site discovered to employ black hat SEO may be penalized in page rank, may lose PR altogether, may experience SE indexing issues (partial or mis-indexing, for example) and, for the worst offenders, banishment from the Google site altogether. Dead in the eyes of Google bots.
So, here's the problem: without your knowledge, a black hat competitor can inject toxic script into your site that could, conceivably, get your site banned from Google. Even if you and your web host have all the firewall and intrusion detection protection there is.
It Gets Even Worse
The second reason black hats use cross site scripting is to actually gain access and control of your on-line business. Certain types of XSS attacks actually enable a complete stranger to acquire the same system privileges reserved for the site owner - you.
Access to sensitive customer data, bank account information, the entire back office – all can be achieved with relative ease by a knowledgeable cracker looking to steal and plunder your site.
Whether the black hat is a competitor who wants to eliminate the competition, or a script-kiddie looking to clean out the till and sell some credit card numbers, your on-line business is at risk regardless of how much security you and your web host deploy.
This Is Where Quality Web Hosting Enters
During the design, administration and growth of a web-based business, numerous tools and applications are used by site owners and designers. There's site building software, email management software, a check-out, customer database, automated shipping apps, tools for developing site metrics and many others.
This software isn't necessarily designed with security as Priority One. Often, there are openings in commonly-used ebiz software that are exploited by black hats during the execution of an XSS attack.
And, because of the nature of these attacks, system and server security measures can be breached because, in essence, the hackers piggyback their way onto an unsuspecting site using the site administrators' credentials to gain access and/or control.
The key to protection from XSS attacks is in the proper configuration of all of the applications and tools that comprise your on-line enterprise. These apps must be synced up to work together while, at the same time, developing protection against XSS attacks.
This configuring of applications is done at the host level and should include a detailed analysis of potential XSS entry points within the site's design and reconfiguration to fit the server security already in place.
Go With The Host Who Knows
If your web hosting service isn't familiar with the growing danger of XSS attacks based on application exploitation points, consider finding a more informed host.
It's not a matter of securing your business system locally. And it's not a matter of the multi-layers of protection offered by your web host.
It's a matter of thinking like a black hat and taking a proactive stance against XSS attacks they may employ. If you aren't sure your site is protected, and your hosting rep can't provide the assurances you require, talk to another hosting company before disaster strikes and your site is banned from Google.
It's that important.
About The Author
Frederick Townes is the owner of W3 HOSTING, a web hosting company dedicated to providing fast servers, guaranteed uptime and reliable, friendly support.
By Frederick Townes (c), ©Copyright 2006
