Three New Web Application Threats and their Solutions

Web Application Threats

Malicious users will try to access your web application without your consent. Therefore, you should implement the necessary security features to protect yourself from new web application threats: Spoofing, information disclosure and data tampering. Let’s see how together we can mitigate threats using Plesk security tools.

1. Spoofing


Spoofing is one of the modern web application threats, despite security measures you may implement back-end to protect users’ credentials. It’s pretending to be someone or something other than yourself. And it can happen in many ways.

Fake User Authentication

Attackers can create a fake login page similar to that of a web application to trick users to log in. So that they can steal users’ login credentials. For spoofing, attackers can even use SET (social engineering tools) to clone a login page of a popular web application.

Fake User Authentication

Cross-Site Request Forgery (CSRF)

Cross-site request forgery tricks a web browser into executing an unwanted action. Like transferring funds from one account to another account in a web application where a user is already logged in. Attackers usually use social engineering tricks to implement CSRF by sending links to authenticated users on social media. In other words, those already logged into a web application.

Then unsuspecting users end up sending a forged request to a server on behalf of a malicious user. Though it’s quite difficult to prevent this, below is how you can mitigate cross-site request forgery.

How to Prevent Spoofing Threats

  • Implement an SSL/TLS Certificate

To defend against authentication spoofing, make sure that a web application such as banking portal has an SSL/TLS certificate in place. Plesk lets customers get these certificates for free in just a few clicks.

Spoofing Threat Prevention

Even less technical customers can use the Let’s encrypt extension on Plesk platform to easily create SSL certificates for their domains. And make it difficult for attackers to create spoofing attacks.

Generate Random Tokens  

Otherwise, to prevent forged requests, you can even use tokens to validate GET/POST requests from users. For example, to enable csrf protection in Flask-based applications, you can use the Flask extension CSRFProtect by enabling it globally.

from flask_wtf.csrf  import  CSRFProtect

csrf =  CSRFProtect(app)

Alternatively, you can use FlaskForm to prevent forgery request in flask web applications. However, the standard way of preventing CSRF threats in Java or PHP web applications is by implementing an anti-CSRF token only visible to the user’s browser and web application inside a session variable with a request. If the value of the session variable and hidden form field match, the user’s request is accepted.

2. Information Disclosure

Information Disclosure Threat

Allowing unauthenticated users to access documents restricted to only authenticated users can be defined as information disclosure. The following describe diverse ways information disclosure can take place.

IDOR – Indirect Object Reference

IDOR attack is possible when a web application provides direct access to the object based on a user-supplied input. It makes it possible for unauthorized users to access resources restricted to them. Let’s assume user A logs in to a banking web portal, then the user is redirected to the following url:

In this case, 00012345 is user A’s account number. If the user wants to access other customers’ account details, user A just needs to change acc=00012345 to acc=000112367.

Therefore, the above action allows a user to access account details of another user without the owner’s consent.

How to prevent

There are different ways to prevent indirect object reference.  Another way to prevent exposure of real identifier to an internal object, like database record, is using a salted hash value to replace the identifier.

SQL Injection

SQL injection is one of the most common ways malicious users use to disclose information restricted from public view.  Attackers can send commands such as SELECT to download an entire database, CREATE to create new users in the database or UPDATE to modify accounts.

How to prevent

You can use prepared statements to prevent an attacker from changing the purpose of a query. A prepared statement separates the query from the data. Thus, the data submitted by an attacker can’t be used to modify the query. Moreover, for flask developers, you can also prevent SQL injection by using SQLAchelmy to interface with the database. It comes with features to prevent SQL injection threats.

3. Data Tampering

Data tampering is the act of intentionally modifying data through unauthorized channels. There can be two states of data: in transit and at rest. In both instances, malicious users can intercept and tamper with data. Here’s how data tampering can take place.

Parameter Pollution

Let’s assume a web application allows users to send sensitive data. Like login credentials or transact funds via GET and POST methods. In this case, an attacker can tamper with URL parameters and modify data.

To prevent parameter pollution threats in a web application, you need to encode user-supplied input whenever a user sends a GET/POST request to the backend server.

Session hijacking

Session hijacking

Session hijacking is also another type of attack where malicious users steal session cookies. Each user is assigned a session when they log into a web application. The sessionID is usually stored in a cookie. Attackers use session hijacking to modify data in transit from the client (web browser) to the web server.   

How to prevent: Generate Random Session IDs.

Moreover, Plesk also provides loads of security extensions for customers to prevent or mitigate threats not mentioned above. For example, the Sucuri Security Scanner extension on Plesk to remotely detect website security issues and weaknesses in the source code.

Sucuri Security Scanner on Plesk - Screenshot

Avoiding these new web application threats

Having said that, don’t just rely on Plesk extensions to protect web applications from web attacks. You also need to use your own secure coding practices to mitigate these threats. So, equip yourself, but stay vigilant.

The Plesk Onyx Security Quiz | 5 Minutes

It’s time for our second monthly edition of the Plesk quiz. Here to challenge your knowledge and see how you stack up against your peers. But mostly, to check if we’re doing alright in making sure you get the most of what we can offer. So today, we’ll be testing how much you know about Plesk Onyx Security.

Plesk Onyx Security Features and Tools

How well can you manage security of your Plesk server and protect it from common types of attacks? Maybe you know that we have an entire Security section inside our extension catalog for you to use. Including Let’s Encrypt to issue free SSL certificates and protect connections to your sites, Plesk interface, and mail server.

Plus, we’ve got robust in-built tools in order to enhance Plesk panel security. Like Web Application Firewall (ModSecurity), which protects sites and web applications from attacks.  And Fail2Ban for brute-force protection via IP address banning. Are you on top of it all? Then get ready to test your Plesk Onyx Security basics and more.

Plesk Onyx Security Quiz

Boom – 14 questions below, just for you. Select your answers to get your score (and no cheating!).

  • This field is for validation purposes and should be left unchanged.

How did you do?

Finally, how was it? Got the score you thought you would? Did you get close but aren’t quite there yet? Let us know in the comments below or on Twitter or Facebook. You’ll see how your peers found the challenge.

Think you can do better yet? Fortunately, there’s a free Plesk University course, dedicated to learning more about Plesk Onyx SecurityThere may be something you’re missing.

First, hit the button below to get the course. Then complete it for a certificate. Are you new to Plesk University? Then sign up first in a couple of clicks and hit “Get this Course”.

Let’s Encrypt on Plesk: Your key to a free SSL certificate

The web is an endless battleground. The good guys are always trying to keep the bad guys from hacking, ransoming, and conning their way into our online lives. Our best weapon? Encryption. The web works on trust, and thanks to encryption, HTTPS provides exactly that. But if a website is going to use it, it first needs to get free ssl certificate from a Certificate Authority (CA). Such as Let’s Encrypt.

Let’s Encrypt – What is it?

Let’s Encrypt will only issue the file if you can exhibit control over your domain. And you can do that by using a software client that uses ACME (Automatic Certificate Management Environment) protocol. Having the free SSL certificate means your communications get end-to-end encryption.

So, when files pass between your web server and its users, they become unreadable to anyone who intercepts them. And moreover, nobody can tamper with them.

The Electronic Frontier Foundation developed Certbot, which has now become the best known and most widely used ACME client on the block. Certbot verifies the domain’s ownership, fetches certificates, and takes care of TLS/SSL configuration on web servers using Nginx and Apache.

What does a Certificate Authority do?

Certificate Authorities (CAs) vouch for the authenticity of a TLS/SSL certificate when they validate them using cryptography. Operating systems and browsers use a directory of trusted CAs to make sure that site certificates are bona fide.

This kind of authentication was something we had to pay for in the past. But now, Let’s Encrypt has broken tradition to offer automated creation of each free SSL certificate for the end user. The whole thing runs with funding from sponsors and donors.

How Let’s Encrypt does its thing

The ACME protocol that Let’s Encrypt uses talks about how clients interact with its servers when asking for certificates and confirming domain ownership. Some point soon, it’ll be recognized as an official IETF standard.

Let’s Encrypt for HTTPS

Let’s Encrypt provides domain-validated free SSL certificates. This means that after a request for a free https certificate, Let’s Encrypt makes sure that it’s from someone who is truly in charge of that domain. It sends the client a one-of-a-kind token that it uses to create a key. The domain owner then needs to provide this via Web or DNS.

Let’s Encrypt for HTTP

In the case of HTTP, the process is a bit different. The client manufactures the key using the unique token and also an account token. Then the result goes in a file that the web server makes available. And the Let’s Encrypt servers get the file from this address. If the key matches, the client has established domain control, and they get a free SSL certificate.

The ACME protocol can outline a number of tests that a client can use to verify ownership of a domain. For HTTPS that approach resembles that for HTTP, but the client creates a certificate that is self-signed that includes the key. The DNS challenge searches a DNS TXT record for the key.

Let’s Encrypt Certbot Client

Certbot is by far the most widely used Let’s Encrypt client. It bundles up most main Linux distributions and is able to automatically configure for both Apache and Nginx. After it finishes installing, you can get free ssl certificate and update your Apache configuration as below.

sudo certbot –apache -d

Certbot will ask some questions, run a challenge, download certificates, update your Apache configuration, and reload the server.

Certbot and Let's Encrypt on PleskAfter this, when you browse to you will see a green lock which confirms both a valid certificate and an encrypted connection.

Each Let’s Encrypt free ssl certificate lasts for only 90 days, so you need to make sure that you set it to renew automatically.

This command will take care of renewing all a machine’s certificates: sudo certbot renew

If you type this command into a crontab so it runs every day, your certificates will always be renewed 30 days before expiration is due. And Certbot will reload the server after a successful renewal. So long as the initial creation of the certificate includes the –apache or –NGINX options.

More Let’s Encrypt-ACME Clients you should know of

The ACME protocol is open in nature and its documentation is very comprehensive, which has encouraged many other clients to develop.

You can find an up-to-date list of ACME clients here.

Certbot is one of the few clients to offer automatic web server configuration,  but the others do provide features that may be of interest.

  1. If you want to avoid Python and other Certbot dependencies, (perhaps because you want to create certificates in a constrained environment) you can pick one in languages like Go, and Node.js.
  2. Some clients are able to run without root privileges. Which is good. Because we consider running the smallest amount of privileged code good practice.
  3. Lots of clients are able to produce the DNS-based challenge automatically. They do this using the API of your DNS provider to create the relevant TXT record. This challenge also allows for harder to handle cases like encryption of web servers that are only accessible privately.
  4. You will find some clients integrated into web servers, reverse proxies, or load balancers. This makes configuration and deployment a breeze.

Lots of other clients can be used, and lots of other servers and services automate TLS/SSL setup thanks to Let’s Encrypt support.

How to make and update Let’s Encrypt free SSL certificates with Plesk

Plesk has a plugin that lets you handle Let’s Encrypt free SSL certificates.

To work with a Let’s Encrypt SSL certificate the domain name must work in a web browser, regardless of whether or not it has any content. The process only works for a valid domain.

Here is how to get a Let’s Encrypt free SSL certificate for your domain:

  1. Log in to Plesk.
  2. On the (left) sidebar, click Websites & Domains
  3. Click on the Let’s Encrypt symbol to pull up the Let’s Encrypt SSL Certificate page.
  4. Type a valid e-mail address in the box.
  5. Select the “Include www.(” as an alternate domain name check box. So that the SSL certificate protects your domain with and without the www prefix.

5.1. Failure to check the box will mean that the certificate only relates to If you select the checkbox, it will be valid for www as well.

5.2. Click Install. When installation finishes successfully you will get a confirmation message.

5.3. If it doesn’t work, check that the domain name is valid. Also, check that the domain is:

  • spelled right
  • registered
  • has proper DNS records
  • accessible in the web

When you create or add a domain to the server, be sure to add the relevant DNS records (with, an A record pointing to the server IP address as a minimum), and allow adequate time for the DNS changes to be disseminated.

6. In the left sidebar, click on Websites and Domains
7. Click Hosting Settings.
8. Under Security, select the SSL support check box, and the Let’s Encrypt SSL certificate in the Certificate list box.

Plesk renews Let’s Encrypt certificates automatically

So you don’t need to do anything. Let’s Encrypt free SSL certificates are valid for 90 days by default. But Plesk renews certificates every month automatically, which is what the Let’s Encrypt developers recommend.

Doing this sooner enhances your site’s security, and it’s clear to you and the visitors to your site. Also, this gives you extra time to find a solution if a renewal doesn’t go through for whatever reason.

Manually renewing an SSL certificate in Plesk

You can also manually renew a certificate if you:

  1. Log in to Plesk.
  2. In the left sidebar, click Websites & Domains
  3. Click the Let’s Encrypt icon and select “Renew”.

What’s new on Plesk Onyx? The March 2018 Update

Have you heard? We’re coming at you with a huge update to our all-in-one platform. You spoke, we listened. So we’ve further aligned Plesk Onyx to the way web professionals work today. And the types of infrastructure hosting sites and web applications use at the minute. Hence, we focused on 5 main areas: Site Performance, SEO, WordPress, Security and Cloud integration. Check it out.

The Fast-Building Part

We’ve improved onboarding for you and your customers. Hello, simplified registration and social login! As soon as you’re on, you get the First Steps Advisor to guide you through the initial steps. Like adding a domain, creating mailboxes and of course enabling your security measures.

We made an SEO Toolkit. Now you can count on Plesk to help analyze your websites, without having to look elsewhere.

  • You’ll get Site Audit for common SEO issues and receive optimization recommendations.
  • Instantly review search engine crawler activity on your sites with Log File Analyzer. Then track your keyword ranking in order to adopt the right SEO strategy.
  • Finally, think smart and monitor your competitors. So that you can react to their and your ranking changes fast.

Consider the WP Toolkit enhanced with single-click NGINX caching and AI updates.

  1. Let’s introduce you to Smart Updates by AI. Using Deep Learning Technology, you’ll bring your WP instances, plugins and themes up to speed.
  2. Configure NGINX caching to significantly speed up every WP site. And while you’re at it configure your plugin and theme sets to come preinstalled with every new WP instance.
  3. Feel safer when updating because you can now have additional restore points before updating WP or syncing data.
  4. Speaking of safe, we’ve added pingback attack protection for extra security.
  5. With all that in place, open shop and activate your eCommerce. Choose to install WooCommerce on the new Plesk Onyx. Learn more about setting up a WooCommerce online store.
  6. You’ll also find that we’ve made WP management and UX better to accommodate more and more users.

The Tighter Security Part

Out with Security Advisor and in with the all-new Plesk Advisor. This is because we’ve expanded this system-wide. You’ll get recommendations, fixes and enhancements for security, performance, reputation, updates, backups and more.

Combine our new SSL certificate manager with the ‘Keep me secured’ feature. Breaking this down, it monitors and automatically secures Plesk, new domains, subdomains and webmail with SSL certificates. You can even choose between Let’s Encrypt or Symantec SSL certificates. Domain Validation (DV) certificates are free, but you can also choose to purchase Organization Validation (OV) or Extended Validation (EV) certificates directly from Plesk.

The Part Where You Run on Schedule

Get up close with Hyperscale Cloud services. It’s easier than ever to integrate AWS with your system using AWS toolbox (RDS, Route53). Experience an elevated backup-to-cloud experience or integrate your own cloud storage backup. We’re talking incremental, scheduled, self-restore, granular restoration for sites, files, databases, mail accounts and more. Not to mention the improved passive FTP support and Maintenance mode

We gave the Plesk Extensions Catalog a facelift. You’ll see the catalog is completely redesigned with intuitive navigation, rapid search, and fast auto-updates (within 24 hours). And let’s face it, our 100+ extension list is currently unmatched.

The repairing and monitoring tools are smarter than before. Yes, it’s possible. The self-repair tool can find resource-consuming processes without SSH and CLI. So you don’t need an expert to do the work. Detect and limit resources by subscription to ensure your infrastructure’s integrity.

Find your fit with the new Plesk Onyx 17.8

Your complete set of technical, security and automation tools – all in one place. We’re a leading WebOps and Web Hosting platform for a reason. Want to effortlessly build projects, secure against vulnerabilities and automate daily tasks – all in a day’s work? Then let us help with Plesk Onyx 17.8.

See which Plesk edition fits you best. If you’re already a Plesk user, get in touch – and see if we can offer you something better.

An intro to Plesk Security Course: Part 3 [Video]

Plesk Security Course

We hope you’ve had a chance to get on the bandwagon and have a look at the Plesk Security Course . You can find all you need to know about this newest addition in our Plesk University catalogue. Then take the course for free! You’ll join our booming number of users who are learning to get tip-top security while working with our platform.

Preview Security Course

But if you’ve only got a few minutes, we’ll give you a quick one-minute guide for creating your own free SSL certificates in just a few clicks. Welcome to Let’s Encrypt – one of our best-rated Plesk extensions. This certificate authority (CA) gives all Plesk users the power to get a free certificate for each domain they own.

Let’s Encrypt: Protect your website in 3 steps

In our final security video, you’ll see how this handy Plesk extension makes you more reliable. Because with Let’s Encrypt, you’re not just encrypting the connection between the website and the visitor’s browser. You’re also displaying your website as trusted.

Video: 1:03 minutes

As a result, visitors will not see a warning about the certificate’s authenticity. This tops self-signed certificates (free but not trusted), especially when securing an E-commerce website.

Let’s Encrypt not only issues free SSL certificates, but also provides the tools to recall and renew them. Something that should save system administrators loads of time and effort.

What’s Going on in this Video

1. When you create a new domain, subscription or subdomain – you can protect them immediately with Let’s Encrypt certificate.

2. For already existing domains, open the domain’s toolbox and click Let’s Encrypt. Select whether you want to protect www. and webmail. subdomains, as well as any aliases of the domain.

3. To protect your platform and mail server, go to Tools & Settings > SSL certificates. And create a new Let’s Encrypt certificate.

Let’s Encrypt Key Features

  • Works out of the box, no setup or CLI commands required
  • Signing of SSL certificates for domains and subdomains
  • Automatic renewal of all certificates
  • Additional domains are now supported
  • Can create a cert for the Plesk panel itself

So give all your sites and apps a secure and trusted certificate with this free Plesk extension. And let us know how it goes in the comments below!

Itching for more ways to up your security while on our ecosystem? Then get started on our Plesk Security course.

Preview Security Course

What’s a CAA resource record?

The Certification Authority Authorization, or CAA resource record is a proposal to improve the strength of the PKI ecosystem. It controls which CAs can issue certificates for a particular domain name, and so far there have only been a couple hundred sites adopting it. But not for much longer. According to CAB Forum’s mandate, certificate authorities now have to check CAA records following the procedure laid out in RFC 6844 when issuing SSL/TLS certificates. This was required as of Sept. 8th, 2017. But if you want the tl;dr version, we’ve summed it up for you right here.

CAA Records and Plesk

  1. You can list the CAs that are allowed to issue certificates for your domain in a CAA record.
  2. You don’t have to add CAA records for your domains. An absence of a CAA record means that any CA can issue certificates for the domain.
  3. Plesk supports CAA records starting from the Plesk Onyx 17.8 preview. We have no plans to backport this feature to earlier Plesk versions.

Limitations for CAA Records

  • Some DNS servers/services do not support CAA records.
  • If you want to allow several CAs to issue SSL/TLS certificates for your domain, you need to add multiple CAA records – one record per CA.
  • You can also add CAA records to the Server DNS Template.

How to make Let’s Encrypt your main CA

You can set Let’s Encrypt as the only CA allowed to issue SSL/TLS certificates for your domain in Plesk. The Let’s Encrypt community post has also got this one covered. Have a look at the process below:

Add CAA Record
CAA record addition procedure

For more information you can have a look at the CAA documentation on Let’s Encrypt or Qualys’ article on the matter. And if you have any questions, please feel free to contact us here or on our forum – we’ll be happy to lend a hand.

HTTP/2 & Let’s Encrypt for WordPress

Let's Encrypt & HTTP/2 for WordPress

Our web blog is now meeting the latest security standards and making it HTTP2-ready is easier than you think. Here’s how we switched our web blog ( ) running on Plesk + NGINX to HTTPS and made it HTTP/2-ready with a free, SSL certificate from Let’s Encrypt. Before we get into the details a few things to start with.

Protocol enhancements like SPDY and HTTP/2 have narrowed the performance gap between encrypted and un-encrypted web traffic, with encrypted HTTP/2 outperforming un-encrypted HTTP/1.1 in some cases. Even more importantly, encryption is now kind of mandatory as Google announced that HTTPS is used as a ranking signal in search results, with HTTPS-enabled sites ranking above their plaintext counterparts. ‘Yes, HTTP/2 is awesome,’ I hear you saying, ‘but it requires HTTPS which, in turn, requires an SSL certificate – and those things cost money, you know?’ Well, here comes the sales pitch: Plesk, together with Let’s Encrypt, makes HTTPS setup a breeze and brings you a faster Web with HTTP/2.

Let’s see how we did it.

HTTPS & Let’s Encrypt

First,  issued a free trusted certificate from Let’s Encrypt with automatic renewal and set it up for, hosted on Plesk 12.5.

There are many manuals available online talking about how to install an SSL certificate on Linux so you might have already seen rows upon rows of command line calls, lists of changes to configuration files, and even instructions for building additional utilities. Well, we decided to make our life easier and just used the Plesk “Let’s encrypt” extension that enables Plesk users to issue and install certificates with auto-renewal functionality in the Plesk UI with just a few clicks.


You can find the details in one of our previous blog posts here: After a few clicks we were done and had a free, trusted SSL certificate installed on Let’s enable HTTP/2 next.


HTTP/2 is the second major version of the HTTP network protocol used by the world wide web.

Ratified in May 2015, HTTP/2 was created to address some significant performance problems with HTTP 1.1 in the modern web era.

  •  HTTP/2 is supported in NGINX web server starting from version 1.9.5.
  •  Currently, HTTP/2 is supported by all major web browsers.
  •  Your sites do not require any changes to get the HTTP/2 advantages.

Now, HTTP/2 is available out-of-the-box for all Plesk 12.5 customers!

Sounds good, doesn’t it? Let’s move on.

First, you need to make sure that the latest Plesk update, Plesk 12.5.30 Update#28, is installed. We don’t, because  we have auto-updates enabled on the server and  recommend you enable them too. Then, we logged in to the server via SSH as root, and ran the following command line utility:

#/usr/local/psa/bin/http2_pref enable

That’s all it took to empower our HTTPS sites with HTTP/2! If you’re not sure about your websites go to to check for HTTP/2 compliance. 


Detailed User Instructions for enabling HTTP/2 in Plesk can be found here:

If you’d like to get a second opinion, you are welcome to use the “HTTP/2 and SPDY indicator” extension for Google Chrome, found here.


We have now secured the connection between the server and the website. Next step is to configure our WordPress site to only use HTTPS. This required a re-configuration of WordPress settings to replace all http:// links inside the WordPress database with  https://. If you fail to do so you will continue to receive “Mixed content warnings” for previously uploaded content:

  1. Go to the WordPress administrative interface and change both “WordPress Address” and “Site Address” to use https://
  2. Set-up a redirect for all http:// requests to https:// for the respective website.

Screen Shot 2016-04-15 at 11.14.43

Next step was to change the links inside the WordPress database. There are a lot of possible ways to do it, starting from direct SQL queries to wp-cli. We decided to do it via the WordPress interface using the “Better Search & replace” plugin, which can either be installed from the Plesk interface or from the WordPress Administrative interface.

This plugin helped us to find all matches for “” in the WordPress database and replace it with ““. This plug-in allows you to only find but also find and replace if you with to do so.

Last but not least we had to redirect all http:// requests to the https:// counterpart of our blog using the Plesk interface. We went to Websites & Domains , selected, and then “Apache and nginx Settings”

to set-up the redirect in the “Additional nginx directives” section, like this:

if ($scheme = http) {

return 301 https://$server_name$request_uri;



That’s it! Now, all browser requests to are redirected with the 301 code to, and that’s just what we wanted.

On a separate note…. .

Load speed test with shows that the transition from non-SSL HTTP to HTTPS + HTTP/2 has little impact to the site load speed.

In return, we now have a secure connection with a nice green trusted SSL certificate,  including better indexing from Google for free 🙂

By the way, we did not stop with the DevBlog – actually, the new Plesk website ( – check it out!) was built on Plesk 12.5 [+ WordPress Toolkit] + WordPress.

Have a nice day 🙂