Webinar: Five Common Website Attacks and How to Prevent Them

March 18, 2020 - Ensighten

If we look back at website attack methodologies, we can see a distinct shift in their target and focus. Traditionally, cybercriminals have focused on the infrastructure or webserver, taking advantage of holes in the operating system, or in the website code in order to gain access and steal customer data.

Organizations have since become better at protecting their source by implementing new and more effective perimeter technologies and as a result, cybercriminals have found it increasingly difficult and instead have turned their attention to the next weakness, the website user.

Cybercriminals have started to leverage weaknesses in the browser, exploiting technologies such as JavaScript, which are heavily used today to allow website owners to provide rich and immersive experiences. The use of client-side web skimming methods for example has enabled the hacker group Magecart to successfully breach over 18,000 websites in 2019 alone, stealing the payment data of millions of users. Here we look at five common website attacks and how you can prevent them to avoid the damaging impact of a cyberattack.

 

 

Buffer overflow attacks

Buffer overflow attacks can be used to target both the end user and also the website infrastructure. These can result in large data breaches, oftentimes resulting in full access to the organization’s customer data.

Buffer overflow vulnerabilities exist because of bugs in code, where users input is not checked and can therefore be used to overwrite existing service code with other instructions. Today, applications written in languages such as PHP or JavaScript are mostly safe from buffer overflows. However, these same applications can often leverage libraries that can still contain bugs and exploits.

The most critical thing an organization can do to protect against buffer overflow attacks is to stay current on patching. When vendors become aware of security issues within their software, they will often issue fixes in the form of patches. Organizations should closely monitor the vendors they use and apply recommended updates, especially security related ones.

Web application firewalls are also often successful in preventing at least known buffer-overflow exploit attempts as these solutions can look for specific traffic patterns and block them if they look suspicious.

 

Cross-site scripting (XSS)

Cross-site scripting (XSS) is a common client-side cyberattack which takes advantage of websites which don’t sanitize user input.

Consider a comments section on a website; when a user enters their comment, that text gets stored within the website’s database and is then displayed for every other user viewing the same article or section.

If instead of writing normal text, a hacker was able to input JavaScript code, just like the comment, the code would be rendered by every other user and could then run within the browser of everyone else.

This code could do everything from stealing cookies, monitoring keystrokes and capturing session tokens allowing the hacker to authenticate to the website as the victim.

Organizations can prevent cross-site scripting by employing strong coding practices and QA, which actively check all aspects that allow user input to ensure that validation is being performed.

The challenge with this however is that as with any technology, things get missed and bugs get introduced and when this happens, organizations often need security technologies to help prevent them from being exploited.

Web skimming protection will prevent JavaScript code from being able to send data to unknown sources, so even if a cross-site scripting exploit existed, it could not be used to steal user data like cookies or session tokens.

 

SQL injection

Structured Query Language or SQL injection also happens as a result of a website not accurately validating user-input and generally target the webserver and its backend infrastructure. In a SQL injection attack, SQL code is inserted into user-input sections of a website which are then processed as code by the webserver.

Consider a website that sells shirts. Generally, a user could use the website to search for blue shirts and when entered, the website would then create a code-based query containing the search term, blue shirts. The database server would in turn, run the query and return all records matching blue shirts.

If a cybercriminal was able to enter SQL code into the box, and the webserver, instead of validating it, just sends it to the database server, then the code is processed, as-is, and the database server would return whatever the code asked for. The perpetrator for example, may ask for all of the usernames and passwords from the database or other sensitive information.

The first layer of protection for preventing SQL injection is to utilize good coding practices. Most languages and libraries contain functions for accessing databases that are designed to prevent SQL injection. Where database access is required, these functions should be used.

WAFs and open source components can be added to web servers, such as Apache and Nginx, to look for SQL code within requests and prevent them when found.

 

Client-side data exfiltration and web skimming

Data exfiltration through JavaScript injection, also known as a web skimming, is a relatively new type of attack, but especially effective at data theft and has been used by groups such as Magecart to steal millions of credit card numbers from global ecommerce businesses.

Web skimming takes advantage of the fact that websites are made up of both first-party content, and third-party content, leveraging hundreds of JavaScript libraries which provide functionality for everything from animation to an AI assisted chat bot.

Hackers will inject disguised, malicious code into one of the libraries which then has full access to anything that the user enters into the website. The malicious code will wait until the user inputs a credit card number into a checkout form, and then send that number to a server owned by the criminals to later be sold.

Inspecting not only your own code, but the hundreds of thousands of lines of third-party code too, is a mammoth task and is often not possible which is why many websites are vulnerable to web skimming.

Client-side protection is the only way to prevent data theft, utilizing a security technology that can effectively whitelist where website data can be sent.

 

Adware injection

Adware injection utilizes similar methods to JavaScript injection to display rogue ads on your website, by exploiting third-party libraries, or even malicious browser plugins. Adware and ad injection are especially common around times such as Black Friday when website usage is higher than normal, or around elections where attackers want to portray specific messages.

In fact, there has even been press which suggests that ISPs are actively injecting code into websites, in order to display their own ads on sites that their customers visit.

Like with web skimming, the only real protection against adware and ad injection is to utilize website client-side security which can whitelist legitimate content sources, therefore preventing rogue content from being able to be injected and displayed.

 

Ensighten can help

Ensighten provides a comprehensive website client-side security offering which allows you to protect your website against JavaScript injection, web skimming, malicious ad injection and other areas such as cross-site scripting.

Ensighten is the leader in preventing client-side data exfiltration and theft while at the same time providing technology which allows organizations to ensure that their website is CCPA and GDPR compliant. Learn more about how you can protect against common cybercrime methods – book a demo with one of our consultants.

 

Jon Wallace