Learning Center
Plans & pricing Sign in
Sign Out
Get this document free

Joomla Web Application Development Vulnerabilities


									Auto Redirect, What Is It and How It Can Be

Auto redirecting what is it and how it can be, many web designers use these
techniques for number of reasons. Auto redirecting is nothing but when the visitor
enters into a webpage/website and he/she is redirected to another webpage/website.
Its one of the popular technique used in search engine optimization strategies to
make the website more visible to search engines & end-users, increase traffic and
business. Therefore to take the visitor to correct page of the site, auto redirecting is

Auto Redirecting Is Done for the Following Reasons:
    URL Redirect i.e. if the website URL created is not search engine friendly or
      user friendly, the webmaster will go for auto redirecting. For example, if the
      webmaster creates a URL previous like this and he wants to change the
      URL into this,
      he should go for auto redirect.
    If a web page contains excellent & user friendly contents which has been
      crawled & visited by search engines and users several times and the
      weightage of the page is considered highly important for the website /
      webmaster which should not be deleted, then he go for auto redirect.
    Even, the pages with unwanted contents, images, texts and links will be
      redirected to useful web pages.

Different Methods for Auto Redirecting Includes:

Meta Refresh Tag Technique
Meta Refresh Tag Technique is one of the auto-redirecting methods that search
engines can automatically detect. Search engines strongly recommend this method
when there is a reasonable delay between landing page and being redirected. At
least 5 seconds is recommended.

...head section stuff (Title, Description, etc.)...
<meta http-equiv="refresh" content="4;url=filename.html">

JavaScript Technique
This technique is not detected automatically by search engines, as search engines
are unable to parse JavaScript. Though, the script can be called anywhere on a page,
it is better to call in header section which make easier for page loading.

<script language="javascript"><!--
...other head section stuff (Title, Description, etc.)...

Form Technique
Search engines spiders can't able to fill the form fields, and so they don’t make any
attempts to submit forms, which means it can be used for auto-redirecting.
JavaScript can be used to submit the form as soon as the webpage begins for

<script language="javascript"><!--
...other head section stuff (Title, Description, etc.)...
<form name="myform" action="filename.html" method="get"></form>

Be careful when creating a website. This is because; if the page takes few seconds
delay it is acceptable. But if the page loading time exceeds the normal time limit
both search engines and users loose their patience and their bounce rate increases
and search engines not often crawl or index the web page. So auto redirecting is

If instant redirect is necessary and you feel that you want to increase the traffic &
business for your website, then use the different methods of redirect to make your
website more familiar.
he hackers.

       Insert a random string named token into each POST form and each GET query
       string, enabling to modify something in the Joomla system. Joomla
       Framework provides protection to the target site.

Information Leakage and Improper Error Handling
Sometimes, applications leak information about their configuration, internal workings
and privacy due to different issues. Here hackers use this point to steal sensitive
data or to attack seriously.
                      Stack traces
                      SQL errors

Broken Authentication and Session Management
Often Account details and session tokens are not properly protected and the
attackers steal passwords, keys, or authentication tokens to know other users’

       To prevent these types of vulnerabilities, first ensure that SSL is used for all
       authenticated parts of the application. Also, verify all credentials are stored in
       a hashed form. To prevent these consider the following:
             Use native session management mechanism. Don’t write own session
             Use single authentication mechanism.
             Don’t allow to login to from an unencrypted page.
             Once the user validates, provide them a new session cookie and
              invalidate the previous session cookie.
             Make sure that every page of the application as logout link.
             Verify the user’s old password before changing the new password.
             Don’t send credentials (including the user name) through insecure
             Don’t expose session ids, such as the session token, in the URL.
Insecure Cryptographic Storage
Applications hardly use cryptographic functions to protect data and credentials.
Hackers use data to conduct identity theft and other crimes such as credit card

       If the data is sensitive and encrypted
                      Credit Cards
                      User Names
                      Passwords
                      User data
       Make sure that the data stored is not easy to decrypt. Don’t use weak
       algorithms. Use asymmetric key encryption to store the private keys carefully.

Insecure Communications
Web Applications fails to encrypt network traffic when it is crucial to protect sensitive

       Use SSL on any authenticated connection or on any sensitive data that is
       being passed. Different ways involved configuring SSL for web applications
       properly, by understanding and analyzing the purpose properly.

Failure to Restrict URL Access
Some application protects important functionality by preventing the display of URLs
to unauthorized users. But, hackers use this point to access and perform
unauthorized operations by accessing the URLs directly.

       JoomiHide, it’s a Joomla Plugin that restrict the article to registered /
       unregistered users only. Just add the "reg" or "unreg" string into the joomla
       text/content. Then the text with the "reg" tags will be displayed to the
       registered users and the text with "unreg" tags will be displayed to the guests
       only. JUGA, noixACL is the best component that allows what is to be offered
       to users on both your front end and administrator control panel.

To top