I am not a security expert nor a hacker, but I’ve had my share of attacks since 1996.

This post is surprisingly not about computer viruses or trojan horses, its rather about the internet & web application security which will help you understand the new/old trends hackers use to gain control or access to private personal information & how to secure yourself against them.

It’s worth to note thatI wont be getting technical, this post is meant for the general internet users.

I’ll split this post into two parts:

Part One

  • XSS & CSRF ( aka the twin evils )

Part Two

  • WordPress Security & SQL Injection
  • Your router & the cafe’s

 

XSS ( Cross Site Scripting )

Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

XSS Demonstrated

 

 

How does it look like?

www.examplesite.com/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-examplesite.com/";}</script>

 

What harm does it do?
Depending on the payload & the exploitable site, WIth XSS an attacker can:

  • Steal your cookie & impersonate you
  • Friend an unknown friend
  • Like a page
  • Follow a stranger on twitter
  • Show a fake login page
  • Basically, perform any action

[box type=”info”]Did you know that XSS is as old as the browser?[/box]

 

Real life story:
Samy is my Hero, In 2005 Samy Kamkar released the Samy worm, Execution of the payload resulted in a “friend request” automatically being made to the author of the virus and in messages containing the payload being left on the profiles of the friends of the victim.

 

Protection & Prevention:

  • Unfortunately, XSS is a website/code/server side attack, luckily modern browsers has basic protection against XSS attacks.
  • Also have a look at noScript
Firefox XSS warning

 

Read more about XSS http://www.veracode.com/security/xss

 

 

CSRF (Cross-Site Request Forgery)

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing.

An attack could be embedded as an iFrame, a form or an image source (hidden) on popular sites.

[box type=”note”]I’d describe it as a silent XSS, its a 100% genuine request coming from the victim’s browser, no antivirus, web protection software or browser’s filters that could detect this attack. [/box]

 

How does it look like?

<img src="https://bank.example.com/withdraw?account=myAccount&amount=1000000&for=EvilAccount">

Note: You won’t be able to spot the code above in an attack as this lies in the coding part ( view HTML source )

What harm does it do?

  • Query A Bank Account Transfer
  • Add an email forwarder
  • Place an online order
  • Limitless activities

 

Real life story:

in 2007, Google suffered from a CSRF attack where the attacker could add a filter to forward emails to a specific/another email address (email forward), forwarding all emails that has attachments as an example.

[box type=”alert”]When was the last time you checked email forwarders?[/box]

Protection:
You are on your own in this! As explained earlier CSRF attacks are way too legit for the web browser’s filters to spot & stop this type of attacks, the site owner/developer should use a technique called (tokens) to stop this attack, there are of course several ways on doing so from the server side.

[box type=”tick”]If you are done with your logged-in bank account session, just log out, the same goes to other sites & steer away from saving passwords [/box]

[box type=”tick”]Try using two different browsers or (VM), one for sensitive web applications such as banks, email, social networks & one for general browsing.[/box]

Also try not clicking on links from untrusted resources & untrusted websites.

Read more about CSRF http://www.veracode.com/security/csrf

It’s worth mentioning XHR (XMLHttpRequest) attacks, which leverage a surface for the attackers to inject various activities to the servers, carried from SQL injections to XSS, many known websites such as the BBC, Yahoo, PollDady, MySpace & more have suffered & still  suffering form this silent (sorta) attack.

[box type=”alert”]What I have discussed is a little bit scary, silent attacks are not noticeable its not like someone have changed your email password or hacked your twitter account, the hackers gets the feed of your entire life without you knowing so.[/box]

 

Bonus content:  ClickJacking

 

Tune up for Part 2!

Resources:

  • http://en.wikipedia.org/
  • https:\/\/zainals.com//zainals.com\/\/zainals.com//zainals.com//www.owasp.org
  • http://www.veracode.com/