Web Server Application Attacks

Three common Web application vulnerabilities and attacks

SQL Injection (a security vulnerability that occurs in the database layer of an application) the basic idea behind SQL Injection attack is abusing Web pages which allow a user to enter text in form fields which are used for database queries. Hackers can enter a disguised SQL query, which changes the nature of the intended query. Hence the queries can be used to access the connected database and change or delete its data. Although protection from this kind of attack is very simple (especially using Microsoft.NET technologies), there is a big number of Internet systems which are vulnerable to this kind of attack. SQL query generated by concatenation of the static part of the query and values intended for form fields is the base of this attack.

Adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules. Ensure that users with the permission to access the database have the least privileges. Additionally, do not use system administrator accounts for Web applications. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications. Finally remove all stored procedures that are not in use.

Cross Site Scripting (XSS) is generally believed to be one of the most common application layer hacking techniques. It allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his or her machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any...