Beating Back Web-based Attacks

By Bill Kenealy

While the specifics of how most cyber attacks on companies are committed may not interest some, security professionals do not have that luxury. What's striking is that in addition to maintaining a broad view of the myriad ways in which an enterprise can be compromised, IT professionals also need an in-depth knowledge of each attack vector. In his new Webinar, When Applications Attack!, security expert Ryan Hendricks surveys the top 10 vulnerabilities facing companies today according to the Open Web Application Security Project but also rolls up his sleeves and starts coding in order to show webinar participants in vivid details how the attacks are carried out. Using OWASP's free, web-based penetration testing application Mutillidae to illustrate his point, Hendricks shows just how easy it is for hackers to gain access to corporate data via what OWASP regards as the top threat today, SQL injection.

SQL injection involves attacking a database by directly communicating with the server. "Normally a web application passes information over to a SQL database," Hendricks says. "However, if there is no filtering done, a hacker can communicate directly with the database on the back end and then insert, change or remove any of the data in that database." Using a test web site available on Mutillidae, Hendricks demonstrated how login screens are especially susceptible to SQL injection. His first step was to attempt to login with a fictitious name and password.

The goal was to purposely cause the site to generate an error message from which he could decipher information about the security settings in place on the database server. From there, Hendricks copied and pasted the SQL command contained in the error message into text editor, altered the script relating to how the site handles usernames and passwords, and reinserted the altered text via the login screen. He was immediately granted access to the test site as an administrator. "Using SQL injection you can bypass authentication completely on the login screen," he says.

The comment sections on blogs are another potential source of infection, Hendricks says. Using a common technique known as persistent cross-site scripting, an attacker can execute malicious scripts on legitimate websites by inserting them as comments. This type of attack is especially pernicious because it is executed by the user's own browser. Another technique known as cross-site request forgery exploits people's tendency to trust requests generated by Web sites they are on as well as their tendency to have multiple browser tabs open at once.

If a user is already logged into a legitimate server, somebody can send a malicious link from another tab hoping to trick you into submitting information to a compromised web application. "Because you already have that trust established between you and that server that's what makes cross-site request forgery work," Hendricks says. "If you are going to be banking or doing anything that is secure, it's not a good idea to have 15 tabs open in your browser clicking on all types of links because that's when you expose yourself to this." Much as he advises individual users to apply a healthy dose of caution in order to avoid Web-based attacks, Hendricks says there is some low-hanging fruit for IT security professionals as well.

In addition to making sure that your users are only installing trusted software and add-ons to browsers, security professionals need to make sure that all the input to your company's web site is filtered for malicious, executable code on both the client and server side. "Never trust input from the user," he says.

Bill Kenealy

Bill Kenealy is a copywriter and blogger specializing in enterprise technologies. A graduate of the University of Kansas with a degree in journalism, Bill has 15 years of experience reporting on business and IT. Bill recently relocated to the Twin Cities and enjoys travel and exploring his new home state with his wife. He enjoys reading, PC gaming and watching football by himself.

This blog entry was originally posted March 29, 2016 by Bill Kenealy