Web Hacking Threats

Hackers never stop experimenting new techniques to compromise  websites and hack into  deeper private records or identities. In this post we take a look at common hacking techniques employed by hackers  with the help of an pie chart  reported  by Web-Hacking-Incident-Database (WHID).This chart overlook the total % of  presence of various threats like Cross Site Scripting, SQL injection  & Denial of Service etc…

In the pie-chart below(click and Zoom to view better), created by the Web Hacking Incident Database for 2011 (WHID) clearly shows that whilst many different attack methods exist, SQL injection and XSS are the most popular. To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and Stolen Credentials could all be side-effects of an XSS attack

Certainly this is not the final cheat sheet for hacking trends database rather new threats are flowing every day.Now have a rough look at Top threats like DoS, SqlInjection &  XSS scripting.

Cross Site Scripting

Generally, cross-site scripting refers to that hacking technique that exploits vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking, in order to attack a XSS vulnerable website. Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc…In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed.

SQL injection
SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.
Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.

Now the question arises , how to get rid of these attacks , many security sites shows various techniques  to get rid of these vulnerabilities. But the fact as shown in pie chart is these threats increase day by day.Since we are n’t an expert to go through prevention mechanism on these techniques we skip those sections.

Update: Finally we got a nice cheat sheet preventing various security threats like xss scripting,sql injection.. ,provided by one of our reader/commenter-thanks for comment.

For XSS scripting prevention cheat sheet visit XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

For SQL_Injection_Prevention_Cheat_Sheet

Note:Any thing to add more , feel free to comment


About Technology Timely

Aimed on updated tech news

Posted on April 22, 2011, in Security, Technews. Bookmark the permalink. 5 Comments.

  1. welcome chart , shows Redound information.Flash objects.sql db are vulnerable now ,hackers aims on these more.don’t see here on zero-day vulnerablity.

  2. nice Abstract article , Visit cyber security threats

  3. valuable information on how to prevent sql injection for programmers, Sql injection prevention cheat sheet.Visit
    for cross site forgery prevention visit

  4. Nice and useful article

  1. Pingback: Cyber Crimes 2010-2011 Round Up « TechNews Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: