Friday, 2 August 2013

Security Threats of Internet Applications

Cross-Site Scripting (CSS)

An attacker can inject some client-side scripts to application servers so that when users request certain web pages, they also receive other contents. Pretty significant security risk for application servers.

It can lead to stolen cookies and manipulated pages. Stolen cookies mean the attacker can logon to the target website on behalf of you!


  • The attacker sends an email to the user containing a link to the vulnerable site on which the user has an account.
  • Once the link is clicked, the malicious script in returned from the vulnerable site and gets executed in the user's browser.
  • The script sends the user session cookie to the attacker.
  • The attacker can access the site user account and do whatever he/she desires!

How to prevent?

  • Set all cookies as HTTPOnly
  • XSS

Open Redirection Attacks

1. An attacker sends a malicious email to website users or (simply putting a malicious link online) asking users to logon with the below genuine Dashboard Logon Page but redirecting to the forged page
3. The user logins but Dashboard redirects them to the external forged site
4. Note that the malicious site has an extra “i” so users won’t notice it as it’ll look exactly like the genuine Dashboard site (that’s super easy to create; just save page as!)
5. This forged page includes an error message requesting that user logins again. User might think they have mistyped their password.
6. Our username/password get saved by the forged site
7. Then they redirect us back to the genuine Dashboard site as normal
8. So the end result is that the attacker has stolen the user credentials silently without even user noticing it

Other Security Concerns:

  • XSS Attacks (Cross Site Scripting)
    • XSS Phishing
    • XSS Stored Attacks
    • XSS Reflected Attacks
  • CSRF Attacks (Cross Site Request Forgery)
  • XST Attacks (Cross Site Tracing)
  • Cross-Server Attacks
  • Concurrency
  • SQL Injection; perhaps not relevant to us
  • SSL
  • Invalidated input controls

Security Firms:


No comments: