3 Common Web Attacks

November 27, 2016 | Security, Web Development

If you’re building or maintaining a web application, then you’ll need to make sure you can protect your users against malicious web attacks. In the following post I’ll provide a high level introduction to the three of the most common types of web attacks – XSS, CSRF, and SQL Injection.

XSS (CROSS SITE SCRIPTING)

XSS, or Cross Site Scripting, is a common web attack which enables attackers to inject malicious scripts into web pages viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy. This is generally achieved by using a web application to send a browse-side script to a different end user. Because an end user’s browser has no way to know if a script can be trusted, an attacker can use XSS to access any cookies, session tokens, or other sensitive information retained by victim’s browser.

There are several different types of XSS attacks, which can originate from the server or the client, and can be stored, reflected, or DOM based. Server XSS occurs when untrusted user input is included in an HTML response generated by the server. Client XSS occurs when untrusted user input is used to update the DOM with an unsafe JavaScript call (which introduces valid JavaScript into the DOM).

Stored XSS generally occurs when user input is stored on the target server, such as in a database, and is not safely rendered in the browser.

Reflected XSS occurs when user input is returned by a web application in a response that includes some or all of the input provided by the user, without it being made safe to render in the browser and without permanently storing the user input.

DOM Based XSS occurs when the entire data flow from source to sink takes place in the browser and never leaves the browser. Sources are the properties that are read from the DOM. Sinks are points in the flow of data at which the untrusted input gets outputted on the page or executed by JavaScript within the page.

The following table illustrates a categorization of XSS attacks, with where untrusted data is used on the X axis and data persistence on the Y axis.

XSS Server Client
Stored Stored Server XSS Stored Client XSS
Reflected Reflected Server XSS Reflected Client XSS

CSRF (Cross Site Request Forgery)

CSRF is Cross Site Request Forgery. This type of attack occurs when a malicious web site, email, or program, causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. On most sites, the browser request automatically includes credentials associated with the site, so the site will have no way to distinquish between a legitimate and forged requesst. CSRF attacks typically target functionality that causes a state change on the server, such as changing the victim’s email address or password, or making a purchase.

Example: You’re logged into your online banking account. A malicious website uses a CSRF attack to hijack your session and transfer money out of your account.

According to OWASP, two of the best defense measures against CSRF attacks are verifying that the source origin and target origin match (not always as easy as it sounds!) and using secure CSRF tokens with requests to the application.

SQL Injection

SQL Injection is a code injection technique used to attack data driven applications. Nefarious SQL statements are inserted into an entry field, such as a form field, for execution. If fields are not sanitized, these code injections can allow hackers to read and manipulate data from the database and in some cases issue commands to the operating system. For example, simple SQL Injection attack could allow a hacker to dump the contents of a database.

Primary defenses against SQL Injection attacks include using prepared statements (with parameterized queries), stored procedures, whitelisted parameters (such as Strong Params in Rails), and escaping all user supplied input (as a last resort). 

Further Reading:

OWASP

DOM Based XSS Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *