Web Security Issues
This paper will discuss methods to address client security issues. It will include ways that a Website can be attacked by malicious users. It will discuss how Java script insertion, SQL insertion, hidden field manipulation, header manipulation, and cookies may be used by malicious users. It will discuss how worms and viruses can be introduced to a Website, and the most common method to ensure client security.
SQL Insertion Attacks SQL injection is a type attack where harmful code is attached to strings that are passed to SQL Server to be run. All procedures that build SQL statements need to be examined for possible ways of exploitation because SQL Server will run any query it receives, as long as it makes sense to the server. Even data that has parameters may be used by an attacker.
The injection is done by ending a string consisting of text early and giving a new command. Because the inserted command may have other strings added to it before it is ran, the harmful code stops the injected string and adds a comment mark "--". Once the command is run, any text that follows is ignored (MSDN, 2010).
Java Script Insertion Attacks Whenever a web site accepts and redisplays input from a user, it becomes accessible to Java script injection attacks. Malicious attackers can do some heavy damage by injecting JavaScript into a website. JavaScript injection attacks can be used to launch a Cross-Site Scripting (XSS) attack. In this type of attack, private information is stolen and sent to another website. Attackers can also use java script insertion to steal values from browser cookies. If private information such as social security numbers, bank account numbers, or passwords is stored within the cookies, it can be stolen. Java script insertion attacks can also be used to steal form field data that a user may fill out and send it to another web site (Microsoft, 2010).
Hidden Field Manipulation Hidden fields are encoded into HTML forms to keep values that are to be
SQL Insertion Attacks SQL injection is a type attack where harmful code is attached to strings that are passed to SQL Server to be run. All procedures that build SQL statements need to be examined for possible ways of exploitation because SQL Server will run any query it receives, as long as it makes sense to the server. Even data that has parameters may be used by an attacker.
The injection is done by ending a string consisting of text early and giving a new command. Because the inserted command may have other strings added to it before it is ran, the harmful code stops the injected string and adds a comment mark "--". Once the command is run, any text that follows is ignored (MSDN, 2010).
Java Script Insertion Attacks Whenever a web site accepts and redisplays input from a user, it becomes accessible to Java script injection attacks. Malicious attackers can do some heavy damage by injecting JavaScript into a website. JavaScript injection attacks can be used to launch a Cross-Site Scripting (XSS) attack. In this type of attack, private information is stolen and sent to another website. Attackers can also use java script insertion to steal values from browser cookies. If private information such as social security numbers, bank account numbers, or passwords is stored within the cookies, it can be stolen. Java script insertion attacks can also be used to steal form field data that a user may fill out and send it to another web site (Microsoft, 2010).
Hidden Field Manipulation Hidden fields are encoded into HTML forms to keep values that are to be
References: Fortify (2010). Header Manipulation. Retrieved October 16, 2010, from https://www.fortify.com/vulncat/en/vulncat/php/header_manipulatio html Imperva (2010). Cookie Poisoning. Retrieved October 16, 2010, from http://www.imperva.com/resources/glossary/cookie_poisoning.html Knowledge Base (2010). About Viruses, Worms, and Trojan Horses. Retrieved October 16, 2010, from http://kb.iu.edu/data/aehm.html Microsoft (2010). Preventing JavaScript Injection Attacks. Retrieved October 16, 2010, from http://www.asp.net/mvc/tutorials/preventing-javascript-injection-attacks-cs MSDN (2010). SQL Injection. Retrieved October 16, 2010, from http://msdn.microsoft.com/en-us/library/ms161953.aspx Sanctum (2002). Ethical Hacking Techniques to Audit and Secure Web- enabled Applications