by May 2, 2011 0 comments



Websites today can be used not only to showcase products and services, but also to offer more services to customers like order placing, doing online transactions, taking feedback, and much more. More services means more ports to be opened up on the web server, and more channels on the web browser.

Snapshot
Applies To: Web admins, webmasters
USP: Types of website threats and ways to counter them.
Primary Link: www.parosproxy.org
Search Engine Keywords: website security, XSS, SQL injection, DoS attacks

It also means more opportunities for hackers to intrude into your website . A hacker could for instance, use one of the ports or open channels to inject a virus or Trojan into your web server. This could then capture all keystrokes and capture login credentials of various users. Rest as they say is history. To elaborate on some of the consequences of this, the hacker could install malicious scripts on your web server to spy on your traffic sources, access your web database, alter company information, redirect your traffic, change content of your sites and infect computers of all customers visiting your site, and much more. Here, we tell you about different ways in which hackers could gain access to your website, and the precautions you should take to counter it.

SQL Injection Attacks

This is an attack that’s subjected to your website’s database server. It’s done by inserting malicious or false code into strings on a dynamic website. It can happen on any web page that accepts user data or comments to dynamically enter to the web page which may or may not require admin moderation.

Hackers first identify websites that are vulnerable to SQL injections by running vulnerability assessment tools and then start manipulating inputs to penetrate in to the database. Hackers also manipulate a database to run a query that displays records from its table.

How to counter them: Sanitize user inputs: Validate user inputs and parameters received through URL query string to ensure that they do not contain any malicious code. While restricting user inputs, it is necessary to define the set of acceptable characters, which can be entered by the user or set of restricted words. A set of acceptable inputs should cover data type, length, range, format, etc. by using regular expressions and limiting the number of characters which can be entered in a form field.




Defining more security issues: Consider using different database logins for different database operations on the website, e.g. user with only read permission for sections of the website which displays database driven read-only data. Execute permissions should be given only to selected stored procedures, as required by the application. Direct access to database tables should be avoided to the extent possible.

Cross-Site Scripting (XSS) attacks

How they works: This is a common website vulnerability. It allows attackers to inject client-side script in dynamic web pages. If the user executes that coded scripts on their computer, the hacker will be able to access important information from their computer. Programs like Rich Text Editor, different Office tools, etc which allow users to add HTML tags as part of input are the most common ways of doing XSS attacks. The attackers can use them to add various client-side-scripts in the database, access various cookies or any other sensitive information. Cross site scripting takes advantage of numerous programming technologies including ActiveX, Flash, Javascript and VBScript, Chat server like gmail, Yahoo! and accepting comments from users on your website.

Click on the image to enlarge

How to counter them: Meta characters should be translated to their Unicode equivalents with unique characters in it.

DoS Attacks

How they work: In a Denial-of-Service attack, an attacker may block access of a website by giving vast number of requests or actions that degrade its performance (filling up logs, uploading large files, undertaking tasks that require a lot of memory repeatedly). DoS attack blocks access to website for legimate users. It is mostly done by making a large number of requests for web-pages or making bandwidth use by accessing web page.

How to counter them: Packet filtering is one of the common methods for blocking a DoS attacks. You have to set up a packet filter on a network before a stream of information reaches the web server. Packet filtering inspects each packet passing through the network and drops DoS packets based on user-defined rules (blocking certain key words, etc ).




CLRF Injection

How they work: Unlike most exploits, CLRF injection does not take advantage of security vulnerabilities in the operating system or web software. Instead, it exploits the manner in which the application was scripted. For instance, an attacker can insert a statement into a web form along with code from CR (Carriage Return) and LF (Line Feed) characters. The chance for exploit arises when the application mistakes this injection for a CLRF used in the initial development stage. This attack is very dangerous as it has the power to disable an entire website.

Brute force password guessing attacks

How they work: This type of attack depends upon the manual attack by the hacker. The hacker simply keeps on guessing various combinations of admin or root passwords to get unauthorized access to the web server. Hacker can make many trails until he clicks the right password. Here the Hacker can be a known person and does not need any tool or scripting program to hack.

How to counter them: Brute force password guessing attacks can be detected by simply checking the server logs of number of failed login attempts. The admin can check the IP address the attempts are made from and can easily trace to the address and can block that IP address. The best to be secured from this attack is to keep your password in alphanumeric with small and large case letters.

Some other precautions

Use of “xp_cmdshell”: “xp_cmdshell” is an extended procedure installed by default on Microsoft SQL Server. Attackers can use it to download their hacker tools on the compromised database server. Access to “xp_cmdshell” is usually limited to administrative accounts, but it is possible to grant it to other users as well.

Admin must not disclose it and do not grant any other user to access it as xp_cmdshell connects to Windows by using the account name and password stored in the credential named

##xp_cmdshell_proxy_account##. If this proxy credential does not exist, xp_cmdshell will fail.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.