How Hackers Get In (vulnerabilities)

Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes:

  • User interface code — provides the look and feel of the site
  • Web server — supports the physical communication between the user’s browser and the web applications
  • Front-end applications — interfaces directly with the user interface code, and back-end systems

 Example scenarios in which a web site is compromised:

Examples of vulnerabilities

Hack attackWhat hackers use it for
1. Cookie PoisoningIdentity theft/ Session Hijack
2. Hidden Field ManipulationeShoplifting
3. Parameter TamperingFraud
4. Buffer OverflowDenial of Service/ Closure of Business
5. Cross-Site ScriptingHijacking/ Identity Theft
6. Backdoor and Debug OptionsTrespassing
7. Forceful BrowsingBreaking and Entering
8. HTTP Response SplittingPhishing, Identity Theft and eGraffiti
9. Stealth CommandingConcealing Weapons
10. 3rd Party MisconfigurationDebilitating a Site
11. Known VulnerabilitiesTaking control of the site
12. XML & Web Services VulnerabilitiesNew layers of attack vectors & malicious use
13. SQL InjectionManipulation of DB information

How do these Vulnerabilities Affect Your Customers?

Your customers can be affected in a variety of ways: from identity theft to session hijacking to the compromise of confidential and private customer data. Cross-Site Scripting (XSS) is one of the leading methods used in identity theft (and an obvious concern to financial and healthcare institutions); it attacks the user via a flaw in the website that enables the attacker to gain access to login and account data from the user. Many of the phishing email-based schemes use cross-site scripting and other application layer attacks to trick users into giving up their credentials.

SQL injection is one of the main attacks used when backend databases are compromised. General consensus has pegged SQL injection as the method used behind the massive compromise of credit card numbers in February of last year. We still see many cases where cookies aren’t properly secured, allowing an attacker to ‘poison’ the cookie, hijack active sessions or manipulate hidden fields to defraud ecommerce sites. As web applications become more pervasive and more complex, so do the techniques and attacks hackers are using against them. Recent new vulnerabilities and attack methods discovered or reported show an alarming trend toward attacks with multi-faceted damages and even anti-forensics capabilities. This means hackers are using more powerful attacks to cause significantly more damage, while at the same time covering their tracks is becoming easier.