How Hackers Get In (vulnerabilities)

Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes:

  • User interface code - provides the look and feel of the site
  • Web server - supports the physical communication between the user’s browser and the web applications
  • Front-end applications - interfaces directly with the user interface code, and back-end systems

 Example scenarios in which a web site is compromised:

 

Examples of vulnerabilities

Hack attack

What hackers use it for

1. Cookie Poisoning

Identity theft/ Session Hijack

2. Hidden Field Manipulation

eShoplifting

3. Parameter Tampering

Fraud

4. Buffer Overflow

Denial of Service/ Closure of Business

5. Cross-Site Scripting

Hijacking/ Identity Theft

6. Backdoor and Debug Options

Trespassing

7. Forceful Browsing

Breaking and Entering

8. HTTP Response Splitting

Phishing, Identity Theft and eGraffiti

9. Stealth Commanding

Concealing Weapons

10. 3rd Party Misconfiguration

Debilitating a Site

11. Known Vulnerabilities

Taking control of the site

12. XML & Web Services Vulnerabilities

New layers of attack vectors & malicious use

13. SQL Injection

Manipulation of DB information

 

How do these Vulnerabilities Affect Your Customers?

Your customers can be affected in a variety of ways: from identity theft to session hijacking to the compromise of confidential and private customer data. Cross-Site Scripting (XSS) is one of the leading methods used in identity theft (and an obvious concern to financial and healthcare institutions); it attacks the user via a flaw in the website that enables the attacker to gain access to login and account data from the user. Many of the phishing email-based schemes use cross-site scripting and other application layer attacks to trick users into giving up their credentials.

SQL injection is one of the main attacks used when backend databases are compromised. General consensus has pegged SQL injection as the method used behind the massive compromise of credit card numbers in February of last year. We still see many cases where cookies aren’t properly secured, allowing an attacker to ‘poison’ the cookie, hijack active sessions or manipulate hidden fields to defraud ecommerce sites. As web applications become more pervasive and more complex, so do the techniques and attacks hackers are using against them. Recent new vulnerabilities and attack methods discovered or reported show an alarming trend toward attacks with multi-faceted damages and even anti-forensics capabilities. This means hackers are using more powerful attacks to cause significantly more damage, while at the same time covering their tracks is becoming easier.