Cyber attacks are becoming something of an everyday practice lately. This has grown into a huge problem since unsecured accounts are usually subject to malicious attacks, which result in the theft of assets. The higher the value of assets the more interest hackers have and the more cybersecurity is required. The issue is increasingly true for brokerages, which deal with traders that are moving lots of money through their accounts. This prompted lots of firms to review their cybersecurity standards and start working on the betterment of the system as a whole. This is in the face of the popularity of breaches and exploitations of security vulnerabilities. Not a week goes by without headlines lighting up with new and terrifying data leaks. As a rule of thumb in the cybersecurity industry if the website has not been attacked it is just a matter of time until it will. Thus, it is important to make sure every aspect of the cybersecurity is covered and fully taken care of.
The first step in this battle is website security, which has to be taken with the utmost seriousness as the most common way of attack is via exploitation of the websites and gaining access to sensitive data. This can be done in a multitude of ways, for example:
1. Injection
Injections, or the most popular type SQL injections, are becoming popularized in the field of malicious IT practices. This is when a hacker sends malformed requests with tainted payloads. This is done via utilized any text input bar on your website. This in a term, will allow the attacker to change the backend code of your website, see the databases, or log in as an admin without ever requiring a password. This type of attack is more commonly utilized by hackers to steal secret information, money, change the data on the website itself, or even copy and then delete all of the activity logs so that nobody ever finds the traces of access. The most common targets of this type of attack are usually companies that have at least something to do with finances. Back in the day, when these attacks were mostly unopposed, there were several questions that customers were always looking for answers for. A more common case study could be the implementation of a protection system on one of the relatively popular brokers at the time, BDSwiss. The question “” was always popping up not because the company didn’t have a protection system, but because it installed one that raised a lot of questions from the community.According to , companies dealing with traders from all over the world are recommended to make sure that their code is sanitized on their websites in order for all of these vulnerabilities to be out of the question. Some other types of injections are XPath Injections, Command Injections, LDAP Injections, and etc. Basically an injection is called a process where the application takes untrusted user input, which is then passed into the interpreter. This is a highly illegal activity in most of the countries, however, still prevalent due to the fact that a lot of hackers are attacking from outside of the jurisdiction of the country where the company is based in.These attacks can be easily avoided either by validating all untrusted input using a white-list approach, using proper Object Rational Mapping (ORM) library like Hibernate, Entity Framework, etc. or just by limiting the database privileges to minimize the damage done by a successful exploit.
2. Authentication Exploits
Almost all applications require their users to login before utilizing it. This is often done via a username and password combination. Attacks that target these vulnerabilities are dictionary attacks, brute-forcing, session hijacking, and etc. The attackers who are successful can log into the system using different user’s credentials and perform all of the actions without administrators being able to differentiate if it is a malicious or a normal person just doing operations.
Authentication exploits can be avoided using a multi-layer approach, which may seem like complicated process but in reality is quite simple. By following common rules of safety by changing all default passwords, forcing users to use strong passwords with random characters, no constraints, or even recommending the usage of password manager giving the ability to the customer to use practically unbreakable password of random letters, symbols, and numbers up to 25 characters. Multi-factor authentication has also been used to counter such claims, however, there are many exploits to steal person’s sim cards and thus it is always recommended to use an application-based mobile authenticator rather than a small text message-based one. It goes without saying that the application needs to be secure as well on its own terms.
3. XML External Entities (XXE)
Lots of applications accept XML files from the users. This means that old and poorly configured XML parsers can enable XML files to feature an external code. This means that whenever the file is being evaluation it will suddenly embed its own content into other files. This is usually abused to read confidential data, to access internal systems, or in worst-case scenarios shut down the whole service using Denial of Service (DOS) attacks. It is easily prevented via instructing the parser to disable , or even easier is to just upgrade to modern parser with more secure libraries.
4. Flawed Access Control Systems (ACS)
Web applications should always limit what users can do and see. This is done to prevent fraudulent and malicious users from accessing data, which is sensitive to their eyes.Unfortunately, a lot of access control systems are deeply flawed during their implementation resulting in the attacker’s ability to bypass these controls and access unauthorized functions or data on the website. This can be anything from accessing other users’ data, viewing sensitive files, modifying different user accounts, and in worst-case scenarios performing administrative actions. Unfortunately, there is no easy way of fixing this and comes down to the experience and the ability of the developer to systematically approach the whole source system. It requires an in-depth review of every application feature, requirement, user roles, and other constraints. Several different models can be applied to secure the application like (RBAC), (DAC), or (MAC). This is by far not a comprehensive list with honorable mentions for (ABAC), (PBAC), and etc.
5. Cross-Site Scripting (XSS)
XSS is one of the most common ways of attack by hackers utilizing JavaScript or HTML. It is mostly why JavaScript is considered to be unsafe to be running on the website. XSS happens when an attacker has the ability to modify what the users see once they access the website. This can be utilized to steal their personal information, passwords, credit cards, hijack user sessions, create false redirect links to unsafe and untrusted websites, and etc. The most prevalent way of protecting yourself from such attacks is . This will prevent the HTML parser from viewing the part of the input as a code but will see it as a normal plain text. This means that the malicious code cannot implement itself into the website and thus no automatic parsing or redirecting will happen. The same goes for JavaScript, CSS, and so on. Most of the platforms these days provide automated ways of protection, thus, utilizing a proper library will rid you from lots of headaches. Additionally, implementing a Content Security Policy (CSP) will prevent browsers from rendering XSS attacks. Configuring session cookies either from application code or web server configuration to include HttpOnly attribute, will prevent hackers from successful XSS exploits and stop them from hijacking user sessions.
Conclusion
As a disclaimer, this is by far not a comprehensive list of website exploits. Unfortunately, there are way too many to go through them one by one. These approaches should always be taken into account by the developers creating the actual website and application. Missing even one of these vulnerabilities may result in a huge loss of data for the company as well as the loss of funds from the customers. As an end note, it is important to understand that website security is not the only aspect of cyber defense a company has to pay attention to. Application security is another huge topic to attend to, which needs to be in combination with already existent infrastructure to create a robust line of defense.