Page 39 - index
P. 39
bases often contain usernames, passwords, names, addresses, phone numbers, email
addresses, birth dates, social security numbers, bank account info, etc. When we provide this
information we trust that the Webmaster is keeping the website front end up to date and free of
vulnerabilities. We trust that appropriate security measures are applied to the data base to keep
our data safe. The reality is that while most of us do trust that the websites we frequently use
are secure, many are not.
Adversaries exploit vulnerabilities to penetrate websites without being detected in order to
establish a foothold on the network and elevate privileges. Once an adversary elevates
privileges, he or she can easily traverse laterally across the targeted network maximizing the
opportunity to exfiltrate valuable data.
How SQL Injection Works
SQL (structured query language) is programming language used to manage relational
databases. Adversaries insert, or “inject”, SQL commands into web applications using the
website’s normal data input mechanism e.g. the dialogue box. If the coding behind the input
mechanism isn’t written such that only precise data values are accepted as valid input, an
adversary could substitute SQL commands for the desired data. For example; if an adversary
can enter something other than a 10 digit phone number into a dialogue box asking for a 10 digit
phone number, without getting an error response from the Web application, then the Web
application could be vulnerable to SQL Injection.
Cross-site Scripting
Another common tactic used by adversaries to penetrate web applications is the exploitation of
Cross-site scripting (XSS) vulnerabilities. XSS allows hackers to combine malicious content
with valid web content being delivered to a client web browser. The XSS vulnerability is
manifested in the web application’s inability to identify the additional malicious code.
Two common XSS attacks are stored and reflected. Stored XSS exploit remains stored in a
message board, comments section, or in a database. This script is activated when a customer
attempts to use the affected source. As an example, a script can be written into a vulnerable
comment box in a website. The code can make all subsequent entries in the comment box
produce a pop-up message. This message may contain a malicious link or any text the
adversary desires.
Reflected XSS attacks attempt to use the trusted server as a source to link to malware. This is
accomplished by taking advantage of a response from the targeted server directing an individual
to the malicious website. As an example, once an adversary finds a vulnerable site, an email
can be sent to customers of the site with a realistic looking link. The link would go directly to the
trusted website. However, the adversary may be able to add script to the link that reflects
information from the customer’s session back to the adversary to include username, password,
etc.
With every update or addition to a web application comes the opportunity for adversaries and
criminals to discover new vulnerabilities. So website administrators need to be diligent about
maintaining the security of their websites. Website vulnerability assessments are a substantive
control that companies can implement to minimize the risk of adversaries penetrating networks
and subsequently gaining access to valuable data.
39 Cyber Warnings E-Magazine – January 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
