May 15, 2014 Don’t Let Injection Attacks Poison Your Website
Let’s start with a cautionary tale. One day a visitor to your e-commerce website—let’s call him Chris—views a classified ad for a used Ford Escort. He’s been looking for a car, and the price looks right. Daydreaming about his next road trip, Chris clicks on the link to contact the seller.
But the car doesn’t exist. A piece of code inserted in the ad has been automatically redirecting Chris’s browser to another website, posing as yours. And Chris is about to lose thousands of dollars to a con artist.
Shoppers on eBay’s UK website recently fell victim to this exact exploit—an especially devious form of injection attack, in which a user inserts dangerous content into a website. In the absence of carefully crafted security measures, such attacks can be extremely damaging.
More generally, the best defense is to employ a programming firm that is attuned to these threats and accounts for them in its testing procedures, which can include the use of automated tools to test for vulnerabilities to certain types of attack. Just as crucial, any development project needs to allocate enough resources—time, money and personnel—to address this kind of security concern.