With the growth of the web as a medium for conducting business and offering services, websites are constantly susceptible to attack. The goal of hackers will be to compromise the corporation's network or its end users.

In this post we will review the most widespread techniques used by thieves to achieve their goals, we will focus on their causes and provide some guidelines to avoid them.

Most web application attacks occur through two widespread techniques: cross-site scripting (XSS) and SQL injection. The latter is usually caused by poor programming and a lack of protection at the application's input and output points. These attacks allow a cyberattacker to execute commands on a website to steal, modify, or delete data.

The threat landscape for application security is constantly changing, primarily due to the emergence of new web attack techniques, but also due to new functionalities that are expanding in both the software and the platforms that host them, opening up a new range of possibilities. These are the main changes in the last 10 years:

The most famous ones are:

• SQL Injection

SQL injection is the number one vulnerability on the OWASP list. For an SQL injection vulnerability to exist, two programmer errors are required:

– Failures in data filtering.

– Errors in the output of data when sending it to the database (output escaping).

None of these steps should be omitted, and both require special attention to minimize errors. Fortunately, SQL injection attacks are easily preventable as long as we filter and escape the output.

*Escaping a character means putting a backslash after it so that the strings are not opened or the code is not misinterpreted during compilation.

• Cross-Site Scripting Attacks 

Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications that allows malicious users to inject code into web pages. Attackers typically use HTML code and client-side scripts. For example:

<script>alert(document.cookie); </script>

These attacks have decreased in recent years largely thanks to the browsers themselves and new tools that prevent the injection of third-party code into the application.

• Exposure of sensitive data and loss of authentication

One of the main issues to be taken care of when using a database is the storage of the access credentials to it.

Usernames and passwords are considered sensitive data and therefore require special attention. This information is commonly found in configuration files, often in plain text.

If for some reason it is possible to locate the file containing this information outside the root directory, it is necessary to configure the web server to reject requests for resources that should not be accessible.

Every programmer must keep in mind that when handling requests, whether to accept or reject them, the received data may not meet the expected or predefined characteristics. All system inputs must undergo data filtering. Furthermore, it should be clear and easy for the programmer to identify when a variable has already been cleaned. This way, we avoid having to rely on memorization or having to map the processes executed by each line of code previously run.

Another important aspect to consider is the system's information output process. It's crucial to always consider the potential meaning of the sent information in its new context, and if the output could create interpretation problems, to "escape" it to preserve its integrity. As with the input process, it's important to maintain control over the data encoding before sending it to its new context.

Web application security primarily involves the developer, although flaws that can be exploited by attackers are frequently found in the underlying technologies of web systems (Operating Systems, Web Servers, Database Servers, etc.). The main focus should be on the flaws in our own application development to ensure that we have taken all necessary precautions at this level. But this will not be enough; from the attacker to the web service itself, there is a whole range of elements that support the service and that we must monitor and maintain appropriately. In this case, we don't always have the solution in our hands, but rather depend on vendor updates. Therefore, a sound update and version review policy is crucial to guarantee that our environment meets the highest level of security. Based on vulnerabilities in systems, network devices, and software that is not properly updated, hackers can deploy highly sophisticated attacks (smurf, DDoS, ARP poisoning, etc.) that can compromise even the most reputable corporations through the simplest of errors, as we sometimes see in the news.

Moreover, a large number of attacks depend not only on technological expertise but also on other factors. It's often said in the underground world that hacking is 10% technological proficiency and 90% the art of deception (known as social engineering). The art of deception is another skill we must be prepared for, and the best solution is to implement additional policies regarding the provision of sensitive data to improperly authenticated sources and to properly train employees to be wary of any request for data that a service provider supposedly already possesses.

Among these deceptive techniques, we can cite phishing as an example. This typically involves making us believe that a service provider (our operator, or even our bank) is requesting information for a seemingly innocuous process, but which actually conceals the intention of obtaining information or credentials that we may later bitterly regret handing over. In these cases, the attacker plays on the user's fear, threatening them with the loss of their account, requiring them to update to specific software, or simply requesting confirmation of their login credentials to verify their identity. But common sense is paramount when facing these types of attacks: does our service provider really need data that they should already have in their databases? If in doubt, the best course of action is to make a reverse call and contact the provider through official channels to confirm that they are the genuine sender of the message, and if not, to alert them so that appropriate measures can be taken.

In short, the range of possibilities through which a hacker can find a way to exploit vulnerabilities is broad, constantly evolving, and threatening to the continuity of our services. The best general policy is constant vigilance, regular request tracing to identify previous attempts, proper training for operators, the best practice of keeping our systems and platforms up to date, and the use of qualified developers to ensure our web service is prepared to withstand the techniques mentioned here.