If you’re building or maintaining a web application, then you’ll need to make sure you can protect your users against malicious web attacks. In the following post I’ll provide a high level introduction to the three of the most common types of web attacks – XSS, CSRF, and SQL Injection.
XSS (CROSS SITE SCRIPTING)
XSS, or Cross Site Scripting, is a common web attack which enables attackers to inject malicious scripts into web pages viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy. This is generally achieved by using a web application to send a browse-side script to a different end user. Because an end user’s browser has no way to know if a script can be trusted, an attacker can use XSS to access any cookies, session tokens, or other sensitive information retained by victim’s browser.
Stored XSS generally occurs when user input is stored on the target server, such as in a database, and is not safely rendered in the browser.
Reflected XSS occurs when user input is returned by a web application in a response that includes some or all of the input provided by the user, without it being made safe to render in the browser and without permanently storing the user input.
The following table illustrates a categorization of XSS attacks, with where untrusted data is used on the X axis and data persistence on the Y axis.
|Stored||Stored Server XSS||Stored Client XSS|
|Reflected||Reflected Server XSS||Reflected Client XSS|
CSRF (Cross Site Request Forgery)
CSRF is Cross Site Request Forgery. This type of attack occurs when a malicious web site, email, or program, causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. On most sites, the browser request automatically includes credentials associated with the site, so the site will have no way to distinquish between a legitimate and forged requesst. CSRF attacks typically target functionality that causes a state change on the server, such as changing the victim’s email address or password, or making a purchase.
Example: You’re logged into your online banking account. A malicious website uses a CSRF attack to hijack your session and transfer money out of your account.
According to OWASP, two of the best defense measures against CSRF attacks are verifying that the source origin and target origin match (not always as easy as it sounds!) and using secure CSRF tokens with requests to the application.
SQL Injection is a code injection technique used to attack data driven applications. Nefarious SQL statements are inserted into an entry field, such as a form field, for execution. If fields are not sanitized, these code injections can allow hackers to read and manipulate data from the database and in some cases issue commands to the operating system. For example, simple SQL Injection attack could allow a hacker to dump the contents of a database.
Primary defenses against SQL Injection attacks include using prepared statements (with parameterized queries), stored procedures, whitelisted parameters (such as Strong Params in Rails), and escaping all user supplied input (as a last resort).