Various Dangers Waiting for Websites

 (Source: OWASP)

With the introduction of more computers and the internet into our daily lives, we began to encounter the expression of cyber attacks more often. We call the activities carried out by attackers cyber attacks, but cyber attacks consist of a wide variety of activities. Let us briefly examine some examples of cyber attacks that some web applications can experience.

SQL Injection

SQL (Structured Query Language) is a language used for operations such as extracting, deleting, and modifying information from databases. Nearly every web application has database support in its infrastructure, and web applications communicate the database with SQL.

SQL Injection is a vulnerability that allows users to inject SQL queries through input data. A SQL Injection occurs when user-supplied data consists of a SQL query and is run on the back-end server. A successful SQL Injection can allow the user (attacker) to read, modify, or even delete sensitive data. In some cases it may even interfere with the operation of the system.

An infiltration into a database of a website will leave the website owner in a very difficult situation by changing the any command in the database.

 

Local File Inclusions

Local File Inclusions is the process of including files that already exist on the server through the use of vulnerable inclusion procedures performed in the application. This vulnerability occurs, for example, when a page takes the file path that should be included in the file as an input, and this entry is not properly sterilized, allowing the injection of dot-dot-slash characters.

Impact: An attacker can access and read sensitive data on the host system.

 

IDOR

An attacker can easily change information on a web page on the user's side of any website that does not have security software. The attacker can change the prices and buy a product of his choice at any price.

For example, an attacker could use the following way: After adding the product to the basket, when the user clicks on the “Payment” options, the applications send a request to the website. This request includes the total price of the products in the "tprice" parameter. The value of the parameter is Base64 encoded. An attacker can easily change this demand and convert the value of the parameter to a lower amount of his choice. This will cause a user to buy any product at a cheaper price, resulting in financial loss.

 

Hijack

Hijack is an attack that seizes information about the web application. For example; any attacker may use the information, password and details of their e-mails for their own benefit. They can retrieve this information, for example, using the u “forgot password ”section of your website.

 

Cross Site Scripting (XSS) 

Cross-site scripting (XSS), a web vulnerability, is defined as the ability to execute a code in the user's browser by embedding code between HTML codes.

XSS is one of the most important and critical security threats to websites. When someone uses malicious code with XSS, they can steal cookies from your web page, redirect you to another page from within your web page, and embed malicious code on your website to perform other attacks.

There are four types of XSS: Generic XSS, Stored XSS, Reflected XSS and DOM XSS.

 

Cross Site Request Forgery (CSRF-XSRF)

Cross-Site Request Forgery (CSRF) is a form of attack that may cause sensitive or dangerous action to the user, without the user's consent, realizing that he is doing something wrong. For example, an attacker could add (or make someone add) new users  to the portal using the references he obtained.

 

Click-jacking

With a click-jacking attack, an attacker can redirect users to another unsecured site, causing them to take action, and even bypass your CSRF protection. For example, an attacker could place a transparent layer on a website that would redirect to a website of his choice instead of a high-clicked site, causing the user to go to another site instead of clicking where he originally wanted to click.

Such as Facebook and Twitter have been a very big victim of the click-jacking attack. For example, in Adobe Flash, users were trapped with an invisible iframe added to the plug-in settings page to change security settings and make their camera and microphone accessible. As a precaution, defense code can be used on the user interface to ensure that the current frame is the top-level window.

 

Brute Force Attack

Although a Brute-Force attack can take place in different ways, it is usually a method of attack on the authentication part of websites by writing all possibilities until the attacker reaches the correct result and allowing the attacker to access confidential content or pages.

 

Path Traversal

This attack is also known as a “dot-dot-slash ”,“ directory traversal ”, “directory climbing” and “backtracking”.

The Path Traversal attack attempts to access files and directories stored outside of the web root folder. This attack allows files to be stored in the file system, including application source code or configuration, and important system files, by manipulating files with ile dot-dot-slash (../) ”sequences and variations, or by referencing variables using absolute file paths, and directories.

This technique can be successful on servers that do not control the location or content of the requested file. Each time a file or resource is added to the application, an attacker you do not authorize is at risk of infiltrating the website within that file or resource. Note that access to files is restricted by system operational access control (such as files that are locked or in use in the Microsoft Windows operating system).

As a precaution against this attack, you should pay attention to the following: Do not store sensitive configuration files in web root. For Windows IIS servers, make sure that the web root is not on the system disk to prevent repetitive migration to system roots.

 

Spoofing

IP Spoofing is a form of attack that the attacker can use for any purpose by using a fake IP instead of his own IP, which allows the attacker to conceal himself. For example, before the attacker performs a DDOS attack, the attacker hides his own IP address by doing a Spoofing, leaving no trace of his personal information behind the attack.

 

CORS Origin Header Scrutiny

CORS is a mechanism that allows you to manage external requests coming to your web application other than your own domain. In the face of the rapid developments in the web world, the need for more integrated technologies and the implementation of more complex functions required the use of data originating from multiple fields and this need could be met with CORS. However, CORS requests can cause vulnerabilities in the system that allow attacks such as XSS and CSRF.

 

CSV Injection

CSV Injection, also known as Formula Injection, occurs when websites embed insecure input into CSV files. Malicious malformed formulas for CSV files allow attackers to take over the user's computer.

 

XPath Injection

XML is a language that makes data readable and configurable by the user. XML querying is done with XPath, a simple descriptive statement that allows the XML query to find a piece of information. An attacker can deliberately send malformed information to a website that does not normally have access to find out how the XML data is structured, inject it, or access data that it cannot normally access. If XML data is used for authentication (such as an XML-based user file), it can even elevate its privileges on the website. While SQL Injection affects a more restricted area, XPath injection can capture all areas of the application.

 

Form Action Hijack

Form Action Hijack vulnerabilities occur when the application places the user-supplied entry in the process URL of an HTML form. Once this vulnerability has been generated, the attacker can create a new URL and redirect all of the visitor's input information to his / her own server if another visitor visits the site.

 

Function Injection

Function Injection attacks are a type of injection attack in which random function names or parameters are injected and applied into the application. If the parameters are passed to the injection function, they can lead to remote code execution. With this attack, any internal or user-defined function can be executed by the attacker.

 

Blind SQL Injection

Blind SQL Injection attack is a subcategory of SQL Injection attack. The only difference between the two is that the data is retrieved from the database. With the Blind SQL Injection attack, the attacker asks different questions to the database to obtain the correct inference from the application's response, and usually targets websites that are configured to display generic error messages.

 

Blind XPath Injection 

Blind XPath Injection and XPath Injection have the same features; The difference between the two is the retrieval of data. With Blind XPath Injektion, the attacker learns how to configure the XML document by making true-false queries, and can extract data from applications that store user information in an unsafe manner.

 

Code Injection

 Code Injection is the general name for the types of attacks that inject code into applications and cause the application to interpret and execute those codes. This allows the attack to occur when applications maliciously handle unsafe data and perform input-output data validation incomplete.

 

Incomplete Authentication

With the Incomplete Authentication attack, a hacker achieves a number of hidden functions of a web application without full authentication. An attacker can access specific URLs through materials such as common files, directory locations, or error messages via brute force.

This attack occurs when users have verifiable and easily obtainable authentication information.

 

Insufficient Authorization

With the Insufficient Authorization attack, an attacker can gain access to hidden parts of the web application that require access control to control all or part of the web application.

 

DDoS

It is limited for each website how much request can be responded. An attacker makes use of that situation. For example, an attacker makes a website overloaded by contacting commend and control servers to cause many different devices to send millions of requests to a single website. Thus, the Internet site will not be able to pass another traffic. When a normal user wants to access the website, he or she encounters “ Error 500” warning because the website has reached its capacity and cannot provide service when trying to respond to millions of requests. (What is DDoS?)

 

As you can see, there are many types of cyber attacks that we have only discussed above. Moreover, every day new attack methods are emerging. At this point, we can say that cyber attacks are actually done in one way. That is: exploiting the vulnerabilities of web applications. Therefore, it is vital that web applications are regularly tested for penetration and that they use security software that eliminates vulnerabilities.

When you get a Bekchy account, you can get a Web Application Firewall that protects you against cyber attacks, and you can find out what vulnerabilities your web application has at any time by taking a Penetration test request and take precautions against any attacks.