When used properly, technology is a fantastic thing. It streamlines our productivity, connects us with friends around the world and reduces monotonous tasks that would otherwise eat up precious hours of lives. But where some see digital prowess, others see vulnerability. We are, of course, talking about hackers.
In a way, cybercriminals are masters of judo — they use their opponents’ own momentum to gain the upper hand. For example, hackers attack web application security because there is usually some vulnerability or oversight built into the application.
Don’t be too hard on the developers though. “Information security defenders get dinged when they don’t do their jobs perfectly,” says former Dark Reading information security reporter Mathew J. Schwartz. Attackers, on the other hand, only need to find one exploit to be considered successful. And one of the most popular ways of infiltrating a web application or service is through SQL injection.
SQL injection has been around for years and is a favorite of hackers because it is relatively difficult to detect. When a legitimate user is looking to access their account online, they will properly enter their email address and password on the first try — this information is sent to the site, through an application and then to the SQL database which will then grant them access. That’s a well-behaved user, but not everyone is so mannerly.
Instead, a crafty hacker will ‘inject’ a malicious code through the sign-in page, which will then pass through the application layer and command the SQL layer to, say, share the entire database of account information with the hacker, delete all information in the database or some other nefarious deed.
This type of attack is clever since it uses user inputs, available to anyone, for incursion. Thankfully, various web application security providers have found a way to block SQL injection attacks in real time by taking advantage of behavioral analytics.
By placing an automated safeguard on the application layer, cybersecurity providers can detect and differentiate legitimate user behavior (like typing an email address) versus bot or hacker actions (like injecting a malicious code) and quarantine the attack before it becomes a problem.
Similarly, cross-site scripting (abbreviated as ‘XSS’) is a web application exploit that targets the visitors on the site. For example, a ‘stored’ XSS attack will sometimes take advantage of an existing web form (such as a comment box, discussion thread, contact page, etc.) and implant a malicious segment of code which is then stored by the server.
When other users visit the site, they won’t see the bad code but they can still be infected by it. Maybe the hacker implanted a drive-by malware download, a keystroke logger or a fraudulent website redirect. No matter what it is, it’s not good news for your computer.
Other types of XSS exploits include ‘reflected’ and ‘DOM-based’ attacks. The former sends malicious code to a server which is then reflected to a user as a legitimate web content. The latter is injected through a DOM on a website (like a harmful code in the URL). The difference here is that the DOM-based attack does not modify the server, it only affects the code on the client’s side. However, both of these attacks rely on the user clicking the infected link.
Thankfully, there are a couple ways to improve your web application security and avoid falling prey to cross-site scripting. The first is to blacklist special characters (such as ‘<’ or ‘>’) or specific segments of code in user inputs known to be harmful. Of course, this can only do so much since there is nearly an unlimited variety of deleterious codes out there.
Supplement your XSS mitigation with input transformation to convert possible segments of codes into harmless characters. This prevents your site or sever from recognizing or accepting hacker commands.
We hope this guide has been helpful in tackling the two most common forms of web application attacks. But remember, cybersecurity is more than just a check list. It’s something that takes constant vigilance. Educate yourself about the threats to keep your business safe!