“I'm not afraid of failing; that's the only way to reach success.” - Nuno Peralta

Internet Attacks on Websites

Cross Site Scripting (XSS) »

Introduction

Every day, Internet applications, such as Facebook, Youtube and Google, are getting more and more popular. Those applications have several databases, stored on their servers, that users can’t see or control. The applications read from the databases and display the data that user should see, through a user interface, usually written in HTML, CSS and JavaScript. Browsers, such as Google Chrome and Mozilla Firefox, interpret those languages and create the interface for the common user to be able to use the application. HTML defines the structure of the page, such as text boxes, images and login forms. CSS defines the style, such as colors, fonts, width and height. JavaScript controls the application, doing what is necessary for it to work, such as hiding and displaying elements, send requests to the server, process server responses, and everything else.

However, Internet is not very secure, for both user and server. Say you are using the site of your bank, to make a payment. You have a session there, since you logged in the site, until you close the browser. If the site has no proper security, there is a chance that you may be spied while you use it, and the person that is spying you may begin to use the site on your behalf. This is because the network security is not sufficient, even if it is encrypted. Once the hacker gets on the same network, with the key if encrypted, he will be able to sniff all the packets on it. The browser is an important element on security, too. If it doesn’t filter some code provided by the server, it opens several security holes to you, mainly in social networks and intentional untrusted sites. In the other hand, there is another chance that the processes, which receive the requests on the server, are not verifying and validating all the input parameters, making it possible to attack the server itself, such as erasing database tables, causing data loss, or even get private information that the public should not access.

We’ll be talking about some possible attacks on the Internet that are very popular. Some will be attacking the user, and some will be attacking the server. Although modern browsers are always working on fixing known security holes and most popular websites administrators are aware about user and server security, there are still many people that use old browsers or don’t use it properly, and there are many administrators that don’t know about or don’t know how to fix security holes on their websites.


Article written by Nuno Peralta, 2012