With increased use of online and automated processes, more and more of sensitive and critical data is being handled by the web applications. As the stakes on the information and data stored by the portals become higher, so does the sophistication of hackers. Developers and hackers are racing against each other. Security threats could be with the intent of stealing confidential information, causing deliberate damage, prove capability or simply for the thrill of doing something which most others can’t.

Here are some of the common security threats, which you better be aware of.

SQL injection attacks

SQL injection is an attack in which malicious code is inserted into strings, which are later passed to the database server for parsing and execution.

While the problem applies to any page which accepts user input to capture data or query parameters to dynamically render the content on the web page, following are some possible sources of malicious SQL injection attacks:

• Query parameters in the URL
• Cookies
• Posted data
• Pieces of URLs, e.g. PATH_INFO

Over the past few years the number of SQL injection attacks has increased exponentially. Hackers first identify websites, which are vulnerable to SQL injections and then start manipulating inputs to penetrate in to the database.

Consider a form, which displays some contents from the database based on a user input. The underlying SQL statement may look like:

SELECT fields

FROM table

WHERE field = ‘entered  value’;

Now if the user enters RandomValue’ OR ‘a’=’a in the input field, the query will become:

SELECT fields

FROM table

WHERE field = ‘RandomValue’ OR ‘a’=’a’;

This will display all the records in the database table, which is not the intended output. This is just a simple demonstration of SQL injection. There are several more complex and advanced methods of introducing SQL injections.

DoS (Denial of Service) attacks

In a denial-of-service attack, an attacker may block access of a website to its legitimate users. Most of the times, this is done by flooding the web server hosting the website with repeated requests for Web pages, through script automation. Attack consumes the allocated web resources and prevents an Internet site or service from functioning efficiently or at all.

Cross-Site Scripting (XSS) attacks

Cross-site scripting (XSS) is a type of website security vulnerability which allows attackers to inject client-side script in web pages viewed by users of the website. Various input controls like Rich Text Editor, etc which allow users to add html tags as part of input, form the root cause behind these attacks. The attackers can use them to add various client-side-scripts in the database, which gets executed when the page displaying the affected data is rendered to the users. Depending on the sensitivity of the data handled by the vulnerable site, the impact may range from a petty nuisance to a significant security breach.

Cross-site scripting amounted to roughly 80% of all security vulnerabilities, as per 2007 data documented by Symantec

Brute force password guessing attacks

In this type of attack, attacker simply keep on guessing and trying various combinations, most often using an automated script, to gain unauthorized access to a system. Although the number of possible combinations, and hence required time, grows rapidly as the length of the password increases, this method still possess some threats to website with no limitation on number of possible failed login attempts and usage of easy to guess passwords.

Use of "xp_cmdshell"

“xp_cmdshell”  is an extended procedure installed by default on Microsoft SQL Server. Attackers can use it to download their hacker tools on the compromised database server. Access to “xp_cmdshell” is usually limited to administrative accounts, but it is possible to grant it to other users as well.

Use of Network Sniffers

Network sniffer can list all of the network packets in real-time from multi network card (Include modems, ISDN, ADSL, etc.) and can also support capturing packets based on the applications (Socket, TDI, etc). Attacker can observe the traffic of the application. It is easy to learn and simple to use. Network sniffer has plug-ins for different protocols such as Ethernet, IP, TCP, UDP, PPPOE, HTTP, FTP, WINS, PPP, SMTP, POP3 and so on. Network sniffers can be used to identify sensitive information like credit card information and details about systems involved in processing credit card transactions.