With the emergence of advanced technologies, increased information sharing through social networking sites and using web as doing business, websites are often hacked directly. Majority of website attacks happens due to imperfection in coding and failure to sanitize input to and output from the web application. Here are some of the Software Security Issues that we face today.
1. SQL injection.
SQL injection is one of the mechanism used by hackers or attackers to steal data from organizations. SQL injection as the name suggest it is the process of injecting malicious SQL statement in to the application where the hacker or attacker has the access to back end data base. It helps the attacker or hacker to create, update, read, alter or delete the data stored in the back-end data base. Once the attacker understands system is vulnerable to SQL injection the hacker or attacker can inject SQL commands through a input field, which helps to attacker to take control of the database where he can execute various Queries.
SQL injection can be prevented by providing validation for the fields where the user input is authenticated for specific length type and business requirements.
Remove all the stored procedures that are not in use.
2. Cross Site Scripting (CSS or XSS)
Persistent: A persistent type of CSS is done when the attacker enters the malicious data to the web application and the entered data is permanently stored in the database. In this case each and every person visiting the page will be a victim of Cross site scripting. This affects every user of the website as it is stored in the database permanently.
Non Persistent: The malicious code injected by the attacker is executed on the users browser and the code is not stored any where, it is executed along with the response from the server.
3. Cross Site Request Forgery
A malicious website will send a request to a web application where the user has already entered the credentials through a different website. Like this a hacker can access all the functionalities in a target web application via the victims already authenticated browser.
In these case the malicious request are sent from attackers website to another site the user has validated against.
The malicious requests are send to the target site through victim’s browser, which is authenticated against the target site.
Cross Site Request Forgery can be prevented by inserting unpredictable challenge tokens to each request and associating with user’s session. Each tokens created will be unique for each sessions. By including these tokens the programmers can be sure that the request is valid and not coming from other source.
4. URL redirection
URL redirection happens when a user clicks on a link on the vulnerable website takes him to an untrusted website. This way an attacker can redirect web user to other websites which are used for phishing and similar attacks.These URL redirection can pass the applications access control check and make the attacker to use the privileged functions that they would normally not able to access.
These kind of URL redirection can be prevented by
- Do not use users’ input for URL
- If dynamic URLs are used Make a list of the valid URLs and never accepts invalid URLs
- Always make sure that the accepted URLs are located on the accepted domains.
- Make all the redirects to first go through a page notifying users that they are going off of your site, and have a confirm link to click.
5. OS command Injection
OS command injection is a technique used to inject the OS command through Web interface to execute it on the Server. Any web interface that is not properly coded will be subject to this attack. With these the user can upload malicious programs or even obtain passwords if the attacker is successful in executing OS commands. These threats occur because application fails to validate and sanitize the parameters invoking shell functions such as system() or exec() to execute system commands.
Types of command Injection
- Direct command injection
- Indirect command injection.
Direct Command Injection: In this case the attacker understands the application invokes a system command as an argument to the command. Then passes the malicious command as a part of the expected arguments.
Indirect Command Injection: In this case the additional commands are indirectly supplied to the vulnerable application through a file or environment variable.Once the attacker deduct that the application invokes a system command form an external source, he them modifies the contents form the external source to add a malicious command.
The best way to prevent OS Command injection is to sanitize the URL and form data for invalid characters. Also a list of allowable characters should be created to validate the user input. Characters that are misused and unwanted threats should be eliminated by this list.
Computer security is a vast topic that is becoming more important as all the transactions taking place are interconnected. If given proper attention to the coding standards and necessary validation for the field we can have a control over the main security threats happening.