How the Attack Works

All the attacks in this blog could have been conducted with a technique called Structured Query Language (SQL) injection. Just as cross-site scripting injects HTML and JavaScript into an HTML page, SQL injection inserts SQL code into an application’s database code. SQL is the language used to interact with most databases, where most, if not all, Web-based email applications store their information.

Imagine that a Web-based application has a login screen where users are required to supply a login ID and password to access the system. Sitting behind this login screen is a database table containing all users of the system. The SQL code that looks up users might look something like this:

“SELECT * FROM UserTable WHERE Login = ‘” + strLogin + “‘ AND
Password = ‘” + strPassword + “‘”

In this case, the strLogin and strPassword variables contain the login ID and password the user enters. This SQL code is similar to what’s used in the vast majority of Web applications, with the biggest difference being the naming of the table, fields, and variables. The way this code is intended to work is that when a user supplies his login ID jeremy and his password mypassword, the values he enters are injected into the SQL command and passed to the database:

SELECT * FROM UserTable WHERE Login = ‘jeremy’ AND Password = ‘mypassword’

If there’s a user with the login ID jeremy and the password mypassword, the user is authenticated and allowed into the system. This is the intended usage of the system and how most users would interact with the application.

The problem arises when an attacker accesses the same application. Rather than play by the rules, the Web application attacker attempts to use the application against itself. If proper network security measures have been taken, the attacker has no access to the database containing the user information. However, to allow the user to authenticate and log in to the system, the application does have access. If the attacker can manipulate the application into doing the work for him, he might be able to access the database through the application, circumventing the network security measures.

SQL injection is a powerful technique that makes it possible for attackers to quickly and easily gain access to sensitive information. Without the proper safeguards in place, applications that are vulnerable to SQL injection essentially place their databases directly on the Internet, giving anyone who stumbles across the vulnerability access to the information stored within.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. DoS attacks are fast becoming the weapon of choice for hackers. However, you can take the following measures to counter these attacks.

1. Disable unused or unneeded network services.
2. Maintain regular backups.
3. Create, maintain, and monitor daily logs.
4. Create appropriate password policies.
5. Implement an Intrusion Detection System.
6. Implement route filters to filter fragmented ICMP packets.
7. Keep a strict vigil on the physical security of your network resources.
8. Configure filters for IP-spoofed packets.
9. Install patches and fixes for TCP SYN attacks.
10. Partition the file system to separate application-specific files from regular data.
11. Deploy tools such as Tripwire that detect changes in configuration information or other files.

Clickjacking is the term given last September to a new class of browser-based attacks that trick users into clicking on site buttons or Web forms. Such attacks essentially hide malicious actions under the cover of a legitimate site, and theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer’s security settings to make it vulnerable to additional attack.

The way that this symmetric key is generated is important. In a basic sense, combining a random number with some mathematical computation might generate the secret key. The computation will remain the same and should produce a secret key that cannot be easily deduced. Because an attacker will most likely know what the computation is because it is part of the software and public knowledge, he will be more interested in finding out what the randomly generated number is. If he can figure out what the random number is, he can simply run it through the same computation to get the secret key.

As mentioned earlier, another attack is the man-in-the-middle attack. Although several different attacks are performed from this perspective, one of the simplest is for the attacker to impersonate both parties. The attacker tries to get into a position where he appears to you as the trusted party and appears to the trusted party as you. The attacker might then try to intercept communications during the early stages, when you are just starting to set up the SSL connection. He will present to you a fraudulent certificate for your trusted party that you might accept as valid. If he can get you to set up an SSL connection through him, he will have access to all of the information you are sending to the trusted party.

Hackers execute a denial-of-service attack by using one of two possible methods. The first method is to flood the target computer or hardware device with information so that it becomes overwhelmed. The alternative method is to send a well-crafted command or piece of erroneous data that crashes the target computer device.