Common website attacks – XSS and SQL injection
There are several common ways to attack a single website, but perhaps the most common ones are XSS and SQL injection. Custom made websites are especially vulnerable to these two types of attack, as the designers often forget to implement defenses against them. The XSS, or cross-site scripting attack will look for vulnerabilities in the code of your website, most commonly found in forms or areas, which rely on user input. The XSS attack represent a malicious code, which is executed when the customers visits a given URL – the code is aimed to steal the user’s saved cookie for the vulnerable website, which will then give the attacker login information and the possibility to steal vulnerable information. There are several ways to secure your site against cross-site scripting attacks – the most simple way is to escape special characters in user submitted forms. The characters you should look out for are : < and >, & and “. They are used to introduce tags or entities, or escape the input value and should not be allowed in form fields. Another way to protect your site is to use HTML Purifier, an HTML filter library written in PHP, which will take care of the malicious code. Another common attack is the SQL Injection. It’s target are forms, which are in their turn connected with a database. The attacker will enter an SQL statement in the form, instead of the expected input and if no precautions are taken, this statement will be appended to the SQL query and then executed. This way, the attacker can delete a whole table, or retrieve the information in a table, which can lead to him getting access to sensible data. Again, the way to protect against SQL injections is to escape certain characters in the user input fields. All single quotes – “ ‘ ” must be replaced with double single quotes “ ‘ ‘ ”. Another way to avoid potential problems is to add another level, between the site’s front end and the database, like PDO(http://bg.php.net/pdo) in PHP. Originally published Friday, December 18th, 2009 at 11:47 am, updated December 21, 2009 and is filed under The Free Reseller Program.
Tags: SQL, online security, XSS, SQL injection
March 26th, 2010 at 3:03 pm
[…] gained in several ways – via brute force or dictionary attacks on your administrative login page, SQL injections, XSS attacks or, most trivially, after hacking your email account where your account password is […]