Types Of Website Vulnerabilities
SQL Injection Vulnerabilities (SQLi)
Structured Query Language (SQL) is now so commonly used to manage and direct information on applications that hackers have come up with ways to slip their own SQL commands into the database. These commands may change, steal or delete data, and they may also allow the hacker access to the root system. SQL (officially pronounced ess-cue-el, but commonly pronounced “sequel”) stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases.
SQL injection vulnerabilities refer to areas in website code where direct user input is passed to a database. Bad actors utilize these forms to inject malicious code, sometimes called payloads, into a website’s database. This allows the cybercriminal to access the website in a variety of ways, including:
- Injecting malicious/spam posts into a site
- Stealing customer information
- Bypassing authentication to gain full control of the website
Due to its versatility, SQL injection is one of the most commonly exploited website vulnerabilities. It is frequently used to gain access to open source content management system (CMS) applications, such as Joomla!, WordPress and Drupal. SQL injection attacks, for example, have even been linked to a breach of the U.S. Election Assistance Commission and a popular video game forum for Grand Theft Auto, resulting in exposed user credentials.
Cross-Site Scripting (XSS)
In an SQL injection attack, an attacker goes after a vulnerable website to target its stored data, such as user credentials or sensitive financial data. But if the attacker would rather directly target a website’s users, they may opt for a cross-site scripting attack. Similar to an SQL injection attack, this attack also involves injecting malicious code into a website or web-based app. However, in this case the malicious code the attacker has injected only runs in the user’s browser when they visit the attacked website, and it goes after the visitor directly.
This often means attackers are injecting JavaScript on the website, so that the script is executed in the visitor’s browser. Browsers are unable to discern whether or not the script is intended to be part of the website, resulting in malicious actions, including:
- Session hijacking
- Spam content being distributed to unsuspecting visitors
- Stealing session data
Some of the largest scale attacks against WordPress have been from cross site-scripting vulnerabilities. However, XSS is not limited only to open source applications. Recently, a cross-site scripting vulnerability was found in gaming giant Steam’s system that potentially exposed login credentials to attackers.
Command Injection
Command injection vulnerabilities allow attackers to remotely pass and execute code on the website’s hosting server. This is done when user input that is passed to the server, such as header information, is not properly validated, allowing attackers to include shell commands with the user information. Command injection attacks are particularly critical because they can allow bad actors to initiate the following:
- Hijack an entire site
- Hijack an entire hosting server
- Utilize the hijacked server in botnet attacks
One of the most dangerous and widespread command injection vulnerabilities was the Shellshock vulnerability that impacted most Linux distributions.
Cross-Site Request Forgery (CSRF)
A Cross-Site Request Forgery (CSRF) attack is when a victim is forced to perform an unintended action on a web application they are logged into. The web application will have already deemed the victim and their browser trustworthy, and so executes an action intended by the hacker when the victim is tricked into submitting a malicious request to the application. This has been used for everything from harmless pranks on users to illicit money transfers.
As a result, attackers may be able to take the following actions using valid user input:
- Change order values and product prices
- Transfer funds from one account to another
- Change user passwords to hijack accounts
These types of attacks are particularly vexing for ecommerce and banking sites where attackers can gain access to sensitive financial information. A CSRF attack was recently used to seize all control of a Brazilian bank’s DNS settings for over five hours.
File Inclusion (LFI/RFI)
Remote file inclusion (RFI) attacks use the include functions in server-side web application languages like PHP to execute code from a remotely stored file. Attackers host malicious files and then take advantage of improperly sanitized user input to inject or modify an include function into the victim site’s PHP code. This inclusion can then be used to initiate the following:
- Deliver malicious payloads that can be used to include attack and phishing pages in a visitors’ browsers
- Include malicious shell files on publicly available websites
- Take control of a website admin panel or host server
Local File Inclusion (LFI), like remote file inclusion, can occur when user input is able to modify the full or absolute path to included files. Attackers can then use this vector to gain, read or write access to sensitive local files— for example, configuration files containing database credentials. The attacker could also perform a directory traversal attack, amending an included file path to review the back end and host server files, exposing sensitive data. A local file inclusion attack has to potential to become a remote file inclusion attack if, for example, the attacker is able to include log files that were previously seeded with malicious code by the attacker through public interaction.
These types of vulnerabilities are frequently used to launch other attacks, such as DDoS and cross-site scripting attacks. They have also been used to expose and steal sensitive financial information, such as when Starbucks fell victim to an inclusion attack leading to a compromise of customer credit card data.
Mitigating and Preventing Vulnerabilities
There are easy steps you can take to mitigate and prevent vulnerabilities from allowing hackers to gain unauthorized access to your website.
Update your applications – The first critical step in securing your website is to ensure all applications and their associated plugins are up to date. Vendors frequently release imperative security patches for their applications and it is important to perform these updates in a timely manner. Malicious actors stay in the loop on open source application news, and are known to use update notices as a blueprint for finding vulnerable websites. Subscribing to automatic application updates and email notifications on critical patches will help you stay one step ahead of the attackers.
Use a Web Application Firewall (WAF) – Web application firewalls are the first line of defense against those probing your website for vulnerabilities. Web application firewalls filter out bad traffic from ever accessing your website. This includes blocking bots, known spam or attack IP addresses, automated scanners, and attack based user input.
Use a malware scanner – Your last line of defense is the use of a reputable automated malware scanner. It is recommended you find one that can automatically identify and vulnerabilities and remove known malware.
>>>>>More advanced programmers may opt to manually review their code and implement PHP filters to sanitize user input. This includes methodologies such as limiting image upload forms to only .jpg or .gif files, and whitelisting form submissions to only allow expected input.
Understanding the types of vulnerabilities that hackers may attempt to use to exploit your web applications is an important first step to securing your website. Vulnerabilities can have dire consequences for not only your website and server, but for your customers’ data as well.