Don't Let Injection Attacks Poison Your Website - WebINTENSIVE Software
16358
single,single-blog,postid-16358,ajax_fade,page_not_loaded,,,qode-child-theme-ver-1.0.0,qode-theme-ver-6.5,wpb-js-composer js-comp-ver-4.4.3,vc_responsive

Blog

May 15, 2014 Don’t Let Injection Attacks Poison Your Website

Let’s start with a cautionary tale. One day a visitor to your e-commerce website—let’s call him Chris—views a classified ad for a used Ford Escort. He’s been looking for a car, and the price looks right. Daydreaming about his next road trip, Chris clicks on the link to contact the seller.

But the car doesn’t exist. A piece of code inserted in the ad has been automatically redirecting Chris’s browser to another website, posing as yours. And Chris is about to lose thousands of dollars to a con artist.

Shoppers on eBay’s UK website recently fell victim to this exact exploit—an especially devious form of injection attack, in which a user inserts dangerous content into a website. In the absence of carefully crafted security measures, such attacks can be extremely damaging.

Here’s how the attack used on eBay (and “Chris”) works. A user submits bogus listings containing specially tailored JavaScript. Whenever someone views one of the ads, this program sends the item number to an outside server. The attacker’s website then takes the eBay Web page and mimics it, making just subtle tweaks to fool the viewer into contacting an outside email address—with the attacker on the other end, posing as a seller.

Other types of injection attack can also wreak serious havoc. Database statements can be used to destroy data or steal confidential information, or an attacker could insert malicious scripts into a Web application through “cross-site scripting”. To make things worse, a clever assailant can use many tricks to obscure a JavaScript or database injection attack.

So how can website operators protect themselves and their users? In the case of eBay, the website should have limited the syntax it allowed in ad postings—in particular, disallowing JavaScript. That would have made this specific exploit much harder to pull off.

More generally, the best defense is to employ a programming firm that is attuned to these threats and accounts for them in its testing procedures, which can include the use of automated tools to test for vulnerabilities to certain types of attack. Just as crucial, any development project needs to allocate enough resources—time, money and personnel—to address this kind of security concern.