Web Hosting Rating

Four Ways to Minimize Exposure from SQL Injection

The average personal site owner has no idea of what it feels like to come under attack.  In fact, web criminals tend to stay away from hacking projects that serve little benefit to them.  That does not mean that the sites of those owners are safe because they are probably more vulnerable than most.  One of the most probable and dangerous threats your site may be susceptible to is an inference attack, more commonly referred to as the dreaded SQL injection.  With this particular attack, the hacker typically inserts SQL code into a web form to either change or access critical information residing on a back-end database. It has a become a significant problem for dynamic websites as successful execution could provide an attacker with access to an entire database or more.  This attack is very real and has directly aided in the exploitation of some of the most well known sites on the internet.

Viable SQL Injection Prevention Methods

To help keep you protected, we have listed four proven methods to enhance your website’s security against SQL injection.

1.) Make sure your forms and other web applications are designed with up to date, secure, compliant code.  Also keep in mind that the web forms on your site should not accept user input to SQL queries without being thoroughly tested and challenged for security purposes.  You can start by reducing the number and types of characters that can be accepted by a form.  Do not leave yourself open to exposure like so many other website owners who do not have anything in place to prevent malicious or unexpected input.  If a hacker enters SQL commands rather than the expected username and password, those commands could be executed and lead to a lot of trouble for your vulnerable system.

2.) To ensure better protection against SQL injection, you should avoid dynamic queries where ever possible.  These queries are placed over the internet in plaintext, which means they are likely exposing sensitive information such as login IDs, passwords and other confidential details.  Because of the potential security risk, some experts recommend not using dynamic queries at all.

3.) Take advantage of data encryption technology.  If your site involves the sharing of sensitive data such as credit card numbers, social security numbers or bank account details, this information should be protected with an encryption protocol like SSL or TSL.  If a hacker is able to breach security, the information they capture will be rendered useless since encryption ensures that they cannot read it.

4.) Keep your systems up to date.  Security is a full time job these days but fortunately, most software vendors patch the bugs and vulnerabilities in their products as soon as they become known.  You can ensure better protection against SQL injection by making sure your SQL database and operating systems are regularly patched an updated.  If you do not have your own server, these are tasks you need to make sure are being handled by your web hosting provider.

Protecting Your Site From Authentication Attacks

Authentication is a process that plays a major role in securing your website and applications.  When a user comes to your site and needs to access a particular area, they provide their username and password to authenticate themselves and prove their identity.  The application then provides the user with access and provides them with a set of pre-defined privileges based on the their identity and credentials entered.  While authentication is intended to give you an extra layer of security, a hacker can use the common HTTP protocol to manipulate this process and gain entrance into your website.

When a hacker uses authentication to break into a website, they are able to do so by proving to the application that they are a known and valid user.  This in turn, gives them access to whatever privileges you have assigned to the legitimate user.  So,  if an attacker is able to enter the system as a normal user, they may only have limited to specific information.  However, if they manage to gain access as an administrator with unlimited access across the system, they would likely have total control of the victimized application and all the data it contains.  This could be very damaging if you are storing customer data and other critical information on your website.

The Hacking Tool of Choice

In the average authentication attack, the hacker first attempts to gain access to the screen where the application requests login and password credentials from the user.  The next step is to enter the details the application recognizes as valid to grant access to the system.  Although it isn’t the most sophisticated attack, many hackers have found that guessing the password is one of the most powerful tools to defeat authentication.  This technique can be employed manually or through automation as many tools exist for this very crime.  Without a secure password, a brute force attack can bypass authentication in a matter of seconds.

Fighting Back Against Authentication Attacks

In order to learn whether or not their attack was successful, hackers use automated tools that access error codes and web page information from the web server.  A good way to deter this attack is to configure the server where any errors or unexpected requests generate an “HTTP 200 OK” response opposed to standard 400-type errors.  By doing this, you will make it harder for the attacker to differentiate between valid and invalid logon attempts.

One of the most effective ways to prevent automated authentication attacks like brute force is to add random content on the web page presented to the authenticating browser.  In order for this to work, the browser must have the ability to successfully submit random content as an inclusion of the authentication process, thus enabling one to proceed further in the application or website.  You can do this by presenting the random phrase in a graphic format such as GIF, JPG or PNG using random fonts or colors every time.  This will make it almost impossible for the hacker’s automated tool to succeed and crack authentication.

Website Hacking on the Rise

Think the information on your website is safe because its stored on a MySQL database?  Think again.  Hackers are on the prowl, seeking out sensitive data and ready to auction it off to the highest bidder.  If you still aren’t convinced that this has become a huge problem on the web, just take a look at the numbers.

TJX Companies Inc., owner of popular chains such as Marshalls, T.J. Maxx, A.J. Wright and other stores, was victimized by one of the most damaging hacking attacks in recent memory.  In January of 2007, the retail giant revealed that the credit and debit card information of 40 million customers had been stolen.  SEFCU, a federal credit union, suffered a similar fate, publishing a warning that a hacking attack resulted in the theft of personal information on 10,000 of its customers.  In addition, 60 other banks including Bank of America and Citizen Union Savings Bank have been breached by similar attacks.

The Attack on Universities

University websites are some of the biggest targets on the internet.  Because many of these systems are decentralized, it is much harder to ensure solid security.  This could be a situation where one department deploys hardened security mechanisms whereas others do not and make the entire system vulnerable.  Here are a few recent website hacks that were the result of vulnerable web applications:

December 2006: An intruder compromised a large database from the University of California Los Angeles.  The infiltration resulted in the loss of personal data including birth dates, contact information and Social Security numbers.  As details on 800,000 people were compromised, this incident makes up one of the most severe computer security breaches at a United States university.

December 2006: The website attack that occurred at the University of Colorado resulted in thousands of Social security numbers and other personal details being stolen.  It is reported that 17,500 records were compromised.

December 2006: Around the same time, the University of Texas in Dallas was compromised of 35,000 records.  The Privacy Clearing House reports that names and Social security of student and alumni facility were exposed.

Because far too many website owners do not monitor activity at the application level, intruders can take advantage of the smallest security hole in various scripting languages.  A crafty hacker can infiltrate a website with a simple browser and a little creativity.  The most unsettling fact about these attacks is that many of them are not discovered until weeks to months following the initial breach.  As hackers do not want to leave anything that can be traced back to them, they generally steal what they want and leave everything else intact.

Disturbing reports by the Privacy Clearing House report that well over 100 million records have been stolen since February of 2005.  Amazingly, this staggering number doesn’t include the TJX incident which involved 40 million records.  Out of an estimated 140 million, roughly 80 million of those records were the result of website hacking.   Knowing the facts as they are, one has to be extremely cautious of who they host their site with as well as the development tools that lead to these vulnerabilities.

Cross Site Scripting Attacks

Online intruders are experimenting with an extensive arsenal of hacking techniques.  Aside from breaking into personal computers, these internet criminals are also looking to penetrate high-powered web servers and compromise sensitive data such as Social Security numbers, bank account details and other personal information.  Cross site scripting is a method commonly used to perform the attack.

What is Cross Site Scripting?

Cross site scripting, often referred to as CSS or XSS, is a hacking technique that takes advantage of web-based applications, allowing an intruder to distribute malicious content and obtain critical data from the victim. A web page consists of HTML programming which is generated by a server and then translated by a browser.  A developer creating static pages has control over how they are interpreted by a browser.  This isn’t the case with a dynamic web page, essentially giving a malicious user the power to manipulate the scripting without the victim noticing in enough time to react.

Most websites today thrive on sophisticated applications that interact with users and cover specific needs.  At the same time, many of these dynamic sites suffer from numerous vulnerabilities and leave companies wide open to attacks.  Cross site scripting gives an attacker the power to insert malicious ActiveX, HTML, Flash, JavaScript of VBScript into a dynamic web page.  This is done to trick the user into executing the script and allows the intruder to access the data they are after.  This exploit is often performed to steal confidential information, steal or modify cookies, modify requests and even execute malicious code on the victim’s machine.  When the latter occurs, the data is typically in the form of a hyperlink that contains the malicious code.  Once clicked, the infection can be distributed over the internet.

Using this technique, a hacker can create and infect machines with a custom made URL all by utilizing a browser to test the response of a dynamic web page.  With the basic knowledge of JavaScript, HTML and a dynamic programming language such as PHP, the attacker can easily create a rogue URL and launch an XSS attack on a vulnerable website.

Is Your Site Vulnerable?

One of the most damaging aspects of cross site scripting is that you typically will have no knowledge of the attack until its too late.  To learn if your site is vulnerable, you could run a scanning utility which will comb your dynamic pages in search of potential security issues.  Such a tool will indicate the scripts and URLs susceptible to the attack.  From there you can make the needed corrections and secure your website.  A reliable scanner will seek out cross site scripting and other common vulnerabilities such as SQL injection.

The high number of compromised websites is indication cross site scripting is one of the internet’s biggest flaws.  This attack can occur on any web-based application that openly accepts input and generates output without the proper validation.  The good thing is that the attack can only cripple sites powered by dynamic scripting languages opposed to a static pages strictly built with HTML.  The bad thing is that simple static pages are mainly a thing of the past.