Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes:
- User interface code — provides the look and feel of the site
- Web server — supports the physical communication between the user’s browser and the web applications
- Front-end applications — interfaces directly with the user interface code, and back-end systems
Example scenarios in which a web site is compromised:
Examples of vulnerabilities
| Hack attack | What hackers use it for |
| 1. Cookie Poisoning | Identity theft/ Session Hijack |
| 2. Hidden Field Manipulation | eShoplifting |
| 3. Parameter Tampering | Fraud |
| 4. Buffer Overflow | Denial of Service/ Closure of Business |
| 5. Cross-Site Scripting | Hijacking/ Identity Theft |
| 6. Backdoor and Debug Options | Trespassing |
| 7. Forceful Browsing | Breaking and Entering |
| 8. HTTP Response Splitting | Phishing, Identity Theft and eGraffiti |
| 9. Stealth Commanding | Concealing Weapons |
| 10. 3rd Party Misconfiguration | Debilitating a Site |
| 11. Known Vulnerabilities | Taking control of the site |
| 12. XML & Web Services Vulnerabilities | New layers of attack vectors & malicious use |
| 13. SQL Injection | Manipulation of DB information |
How do these Vulnerabilities Affect Your Customers?
Your customers can be affected in a variety of ways: from identity theft to session hijacking to the compromise of confidential and private customer data. Cross-Site Scripting (XSS) is one of the leading methods used in identity theft (and an obvious concern to financial and healthcare institutions); it attacks the user via a flaw in the website that enables the attacker to gain access to login and account data from the user. Many of the phishing email-based schemes use cross-site scripting and other application layer attacks to trick users into giving up their credentials.
SQL injection is one of the main attacks used when backend databases are compromised. General consensus has pegged SQL injection as the method used behind the massive compromise of credit card numbers in February of last year. We still see many cases where cookies aren’t properly secured, allowing an attacker to ‘poison’ the cookie, hijack active sessions or manipulate hidden fields to defraud ecommerce sites. As web applications become more pervasive and more complex, so do the techniques and attacks hackers are using against them. Recent new vulnerabilities and attack methods discovered or reported show an alarming trend toward attacks with multi-faceted damages and even anti-forensics capabilities. This means hackers are using more powerful attacks to cause significantly more damage, while at the same time covering their tracks is becoming easier.
