The introduction of the Internet opened up a world of opportunities, creating jobs, bringing the world together and creating an endless source of entertainment. Unfortunately, there are those who only see the Internet as a chance to better their own situation. These individuals do so by exploiting weaknesses and vulnerabilities most other people are unaware exist. How serious are these attacks? Hackers are gaining access to sensitive data, causing websites to crash and employing a new form of identity theft. The good news is business and Internet users and developers can protect themselves by becoming aware of what these vulnerabilities are and how hackers employ them. Lets first learn about common types of vulnerabilities and how hackers use these weaknesses to attack web sites and Internet users.
Denial of Service (DoS)
A denial of service, also known as DoS and distributed denial-of-service, occurs when an individual or individuals attempt to cause the suspension or interruption of a host’s Internet services. In simple terms, such an attack results in the inability of users to access a server or network resources. A common method of a DoS attack is a hacker sending a multitude of requests, ensuring the server is so busy with bogus requests that it is unable to respond to legitimate user’s requests. In the end, authentic customers and visitors are unable to access the crashed site. Attackers also use malware to bog down the server’s processors or take advantage of operating system errors, the results a denial of service. Common targets of DoS attacks are high-profile web servers, in particular banks, online gaming and sites with content that is controversial in nature.
SQL injectio,, or SQL fishing, is a hacker’s attempt to cause a website’s database to dump data into the attacker’s computer, giving the hacker access to a company’s sensitive data, customer information and far more. Data driven applications are vulnerable to this form of attack, particularly when the application does not check and enclose special character’s input values. The attacker places parts of a SQL statement into website text boxes requesting information, such as name, address, etc; in an effort to cause the website to allow an unauthorized SQL command that than orders the database to dump the data. The most common victim of SQL injection attacks are businesses with vulnerable databases containing sensitive user data and passwords.
Cross-Site Request Forgery (CSRF)
Cross-site request forgery, otherwise known as session riding or a one-click attack, is essentially an attacker “forging” a known user’s identity to launch attacks on websites. The sites vulnerable to session riding are those that allow input from registered members but do not require authorization for certain actions committed by the user. Effectively, the hacker includes either script or a link containing a code that launches the attack via a request. If the attacker uses a link embedded with the code, when the unwilling user clicks the link a second unknown request is embedded in the browser. When the user visits the targeted website, the hidden request is sent in the unwilling user’s name, giving the hacker the ability to change user passwords, make purchases or retrieve sensitive user data all in the unwilling user’s name. In other cases, the hacker creates a mock website embedded with the malicious code that embeds the hidden request with visitor’s browser. No matter what method is used, the results are the same, the hacker hijacking a user’s identity to commit a number of activities in the name of a registered user.
A buffer overflow, or a buffer overrun, is a vulnerability created when the program language, such as C and C++, contains inadequate bounds checking. Simply put, buffers are created to hold a set amount of data. If the data written into the buffer exceeds this limitation and there is no set bounds check to ensure data input is not too large for the buffer’s storage limitations, the data input “overflows” and corrupts the adjacent data. In some cases, an overflow occurs when data is copied from buffer to buffer, the destination buffer incapable of holding the data received. The outcome can vary from incorrect results and memory access errors to the more serious system crash or a breach of security. Needless to say, this is a vulnerability individuals can exploit, the best advice to ensure bounds checks are firmly in place.
In our next blog post, we will talk about more common web vulnerabilities that fall under the family of Cross Site Scripting (XSS)
Contributing Author: Dejan Lukan