Web Hacking Threats
Hackers never stop experimenting new techniques to compromise websites and hack into deeper private records or identities. In this post we take a look at common hacking techniques employed by hackers with the help of an pie chart reported by Web-Hacking-Incident-Database (WHID).This chart overlook the total % of presence of various threats like Cross Site Scripting, SQL injection & Denial of Service etc…
In the pie-chart below(click and Zoom to view better), created by the Web Hacking Incident Database for 2011 (WHID) clearly shows that whilst many different attack methods exist, SQL injection and XSS are the most popular. To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and Stolen Credentials could all be side-effects of an XSS attack
Cross Site Scripting
Generally, cross-site scripting refers to that hacking technique that exploits vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.
SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.
Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.
Now the question arises , how to get rid of these attacks , many security sites shows various techniques to get rid of these vulnerabilities. But the fact as shown in pie chart is these threats increase day by day.Since we are n’t an expert to go through prevention mechanism on these techniques we skip those sections.
Update: Finally we got a nice cheat sheet preventing various security threats like xss scripting,sql injection.. ,provided by one of our reader/commenter-thanks for comment.
For XSS scripting prevention cheat sheet visit XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
Note:Any thing to add more , feel free to comment