There are countless ways a hacker could undermine your web security. Sadly, more methods are being invented every year. In order to keep your web-based applications safe, then, it’s essential that you learn to keep track of these methods and ensure you’re ready to defend against them.
One prime example of a tactic you should know about is called an injection flaw. It’s a favorite weapon of hackers who notice that a web application isn’t filtering out input it otherwise should be.
Web Application
Any good web application should have a bouncer of sorts that sits at the door and allows certain types of input in while disallowing others. Sometimes a web application only does this so well. SQL injections are a good example of how hackers take advantage of this. For example, say a webpage needs your date of birth before it can let you enter (e.g. for a fairly standard signup form).
A subpar “bouncer†would only accept numbers because that’s the only way to write the date. You can’t write “April 3rd, 1985â€, for example; it has to be 4/3/85. High-quality bouncers will only let numbers appear on this prompt.
Why is that such a big deal? It’s because while entering letters won’t satisfy the prompt’s demands, the input may still make it through to a database. Someone who knows what they’re doing, then, could enter malicious SQL commands in a prompt, tricking it to not only let the content through but to send it to the database.
Access to Database
Once they have access to the database, a hacker can do just about anything from obtaining information to completely destroy it. Shell commands work the same way. If you don’t have policies in place that scrub information passed from a web application’s HTTP request to the command line, a hacker can inject special characters, command modifiers or malicious commands that will be blindly ushered through to the external system. Which will then be executing them.
While it can seem like a daunting task, these simple attacks can be prevented if you filter your input strategically, considering which input can be trusted or not. Keep in mind, that this means all input, not just the obvious choices. If you leave an Achilles heel out in the open, some enterprising hacker is bound to find it.
Need help fortifying your web security against this kind of attack? Let ServerPronto help. Our expertise in this area could make all the difference.
ServerPronto offers the best affordable and secure hosting service in all dedicated server packages.
Sources:
http://www.toptal.com/security/10-most-common-web-security-vulnerabilities
http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A6.php
Photo cred: Flickr /Â ep_jhu
Comments are closed.