I downloaded their free website scanner. I installed it and entered my url. What the software does is to try to hack your website. It’s like penetration testing. The exercise lasted nearly an hour and I washed as the software was unleashing these attacks:
SQL Injection (Blind)
Local File Inclusion
Remote File Inclusion
HTTP Header Injection
Remote Code Evaluation
Web App Fingerprint
RoR Code Execution
on the website. I actually received about 300 junk emails from the software during the exercise. And I found out that the html5 ‘require’ was actually bypassed in some cases because I actually received an empty messages which shouldn’t have gone through ordinarily. After, the exercise, the website remained intact.
I guess the reason is because the form data actually will be sent to a gmail account and not to a database. I think gmail actually prevented the software from hacking the website.
Well, I am becoming more concerned now about web security. I will really like to learn how to tighten up websites and databases from malicious attackers.
> I found out that the html5 ‘require’ was actually bypassed in some cases
For example if the browser doesn’t support `require`, so use JS fallback. Even if the browser supports it, you can strip the `require` tag with the element inspector. Even with JS, you can strip that rather easily. Even if not, there are other ways to generate a POST request then using your form at all.
Don’t use client side validation *only*. Always validate on the server.
>I don’t agree. Shared hosting is secure but you have to choose the right host not those $1 hosts. Media temple has shared hosting (which I use) and I’m sure it’s secure enough.
There _are_ solutions, but most hosts (MT included) don’t implement them at the “shared” level because of the processing expense. You need a [virtual] private server if you want security. On a shared host, for example, using mod_php, Apache runs all of its php processes under the same user. Getting the complete contents of another customer’s website scripts is trivial (for example, with [glob()](http://php.net/glob)). The same approach can get active user sessions, even database backups, etc., from the `tmp/` directory (a good reason not to use `tmp/`).
Hacking your site is as easy as getting on the same server (as AlenAbdula says, _someone_ on your server is running a vulnerable site – it’s practically guaranteed).