Web Server and its Types of Attacks

Web servers are where websites are stored. They are computers that run an operating system and are connected to a database to run multiple applications. A web server’s primary responsibility is to show website content by storing, processing, and distributing web pages to users.

Web Server Attack:

Any attempt by a malicious actor to undermine the security of a Web-based application is referred to as a Web Application Attack or Web Server Attack. Web application attacks can either target the application itself in order to get access to sensitive data, or they can use the application as a staging area for attacks against the program’s users.

There are 5 types of major Web Attacks:

• Denial-of-Service (DoS) / Distributed Denial-of-service (DDoS)
• Web Defacement Attack
• SSH Brute Force Attack
• Cross-site scripting (XSS)
• Directory Traversal
• DNS Server Hijacking
• MITM Attack
• HTTP Response Splitting Attack

1. DENIAL-OF-SERVICE (DOS) / DISTRIBUTED DENIAL-OF-SERVICE (DDOS): Denial of Service is when an internet hacker causes the web to provide a response to a large number of requests. This causes the server to slow down or crash and users authorized to use the server will be denied service or access. Government services, credit card companies under large corporations are common victims of this type of attack

2. WEB DEFACEMENT ATTACK: In a Web Defacement Attack, the hacker gains access to the site and defaces it for a variety of reasons, including humiliation and discrediting the victim. The attackers hack into a web server and replace a website hosted with one of their own.

3. SSH BRUTE FORCE ATTACK: By brute-forcing SSH login credentials, an SSH Brute Force Attack is performed to attain access. This exploit can be used to send malicious files without being noticed. Unlike a lot of other tactics used by hackers, brute force attacks aren’t reliant on existing vulnerabilities

4. CROSS SITE SCRIPTING (XSS): This type of attack is more likely to target websites with scripting flaws. The injection of malicious code into web applications is known as Cross-Site Scripting. The script will give the hacker access to web app data such as sessions, cookies, and so on.

5. DIRECTORY TRAVERSAL: Directory Traversal Attack is usually effective on older servers with vulnerabilities and misconfiguration. The root directory is where web pages are stored, however, in this attack, the hacker is after directories outside of the root directory.

6. DNS SERVER HIJACKING: DNS Hijacking refers to any attack that tricks the end-user into thinking he or she is communicating with a legitimate domain name when in reality they are communicating with a domain name or IP address that the attacker has set up. DNS Redirection is another name for this.

7. MITM ATTACK: Man-in-the-Middle (MITM) attack allows the attacker to access sensitive information by blocking and modifying the connection between the end-user and web servers. In MITM attacks or smells, the hacker captures or corrects modified messages between the user and the web server by listening or intervening in the connection. This allows the attacker to steal sensitive user information such as online banking details, usernames, passwords, etc., which are transmitted online to the webserver. The attacker entices the victim to attach to an Internet server by pretending to be an agent.

8. HTTP RESPONSE SPLITTING ATTACK: HTTP Response Splitting is a protocol manipulation attack, similar to Parameter Tampering. Only programs that use HTTP to exchange data are vulnerable to this attack. Because the entry point is in the user viewable data, it works just as well with HTTPS. The attack can be carried out in a variety of ways.

How to Prevent Different  Attacks in Web Security?

• Keep your system up to date: Not updating the software regularly makes it weaker and leaves the system more vulnerable to attacks. Hackers take advantage of these flaws, and cybercriminals take advantage of them to get access to your network.
• Prevent connecting to the public WiFi network: An unsecured Wi-Fi connection can be used by hackers to spread malware. If you allow file-sharing across a network, a hacker can simply infect your computer with tainted software. The ability of a hacker to put himself between you and the connection point poses the greatest threat to free Wi-Fi security.
• Install Anti-virus, and update it regularly: Antivirus software is designed to identify, block, and respond to dangerous software, such as viruses, on your computer. Because computers are continuously threatened by new viruses, it is critical to keep antivirus software up to date. Anti-virus updates include the most recent files required to combat new threats and safeguard your machine. These signature files are provided on a daily basis, if not more frequently.
• Use IDS and firewall with updated signatures: NIDS are security threat detection and prevention systems that identify and prevent security threats from infiltrating secure networks. The use of NIDS has a negligible effect on network performance. NIDS are typically passive devices that listen to a network without interfering with the network’s normal operation.
• Backup your data: The fundamental purpose of a data backup is to keep a safe archive of your vital information, whether it’s classified documents for your business or priceless family photos so that you can quickly and effortlessly recover your device in the event of data loss. Backup copies allow data to be restored from a previous point in time, which can aid in the recovery of a business after an unanticipated occurrence. Protecting against primary data loss or corruption requires storing a copy of the data on a secondary medium.
• Install a Firewall: Firewalls defend your computer or network from outside cyber attackers by filtering out dangerous or superfluous network traffic. Firewalls can also prevent harmful malware from gaining internet access to a machine or network.

Source: geeksforgeeks.org

Continue reading

Ethical Hacking: Understanding the Basics

Cybercrime continues to grow at an astounding and devastating rate; more than 93% of organizations in the healthcare field alone experienced a data breach in the past few years (Sobers, 2021).

While most people with any degree of tech acumen are familiar with criminal hackers, fewer are familiar with the field of ethical hacking. As cyberattack techniques evolve, an equally fast-growing (legal) hacking movement has sprung up to stop cybercriminals: ethical hacking.

What Is an Ethical Hacker?

In the more commonly known illegal counterpart to ethical hacking, cybercriminals (also known as malicious hackers) seek vulnerabilities to exploit in an organization’s network. Ethical hackers, on the other hand, are security experts retained by organizations to proactively identify vulnerabilities before someone with ill intent discovers them. Ethical hackers improve a company’s security by finding weaknesses and providing remediation advice.

Understanding Hacking Roles

The field of cybersecurity is broad and complex, so it’s not surprising that there are several subsets of the hacking community. Ethical hackers may work for a cybersecurity firm, work in house at an organization, or find contract roles by working as independent consultants.

Red Team

Red teamers are ethical hackers who focus on the offensive side of cybersecurity, explicitly attacking systems and breaking down defenses. After a series of simulated attacks, red teams will make recommendations to the organization regarding how to strengthen its network security.

Blue Team

Where red teams play the offensive in the cybersecurity game, the blue team focuses on defending networks against cyberattacks and threats. Cybersecurity employee training, network vulnerability scanning, risk management, and mitigation tactics all fall under the blue team umbrella.

Gray-Hat Hackers

We have ethical hackers, we have unethical hackers, and now we have gray-hat hackers. These hackers are like malicious hackers in that they don’t have explicit organizational permission to infiltrate systems, but they also don’t have bad intent. Instead, gray-hat hackers are usually interested in gaining hacking experience or recognition.

A gray-hat hacker will advise the breached organization of the vulnerabilities they uncover (and may request a small fee for doing so, although this isn’t their primary objective and they are not requesting such in a ransom capacity). However, gray-hat hacking is still illegal, given that the individual in question does not have permission to hack into the system.

How to Become an Ethical Hacker

For anyone interested in pursuing a career in ethical hacking, the following skills lend themselves well to the role:

◉ Knowledge of coding in relevant programming languages

◉ An understanding of computer networks, both wired and wireless

◉ Basic hardware knowledge

◉ Creative and analytical thinking abilities

◉ Database proficiency

◉ A solid foundation in information security principles

Most ethical hackers also have a degree in a technology-related field, such as computer science, information technology, or cybersecurity.

Beyond these basics, it’s important for ethical hackers to engage in ongoing education, as cybersecurity is continually evolving. Cybersecurity professionals often acquire certifications in relevant areas, including credentials specifically focused on ethical hacking like EC-Council’s Certified Ethical Hacker (C|EH). EC-Council also provides a wide range of other industry-recognized credentials, including the Certified Network Defender (C|ND), Licensed Penetration Tester (L|PT), and more.

Finally, it’s essential to gain firsthand hacking experience. There are several vulnerability testing tools that hackers in training can use, and the C|EH course provides a safe yet immersive practice environment through EC-Council’s iLabs. Cybersecurity professionals also acquire valuable practical experience in the workplace; typically, ethical hackers start out as members of a broader security or IT team and progress through the ranks as they gain experience and additional education.

The Ethical Hacking Process

Most ethical hackers follow this industry-standard six-step process.

1. Reconnaissance

Upon receiving explicit and contractual consent from the organization, the reconnaissance portion of the hacking process can begin. This involves collecting as much information as possible about the “target” using the various tools at the hacker’s disposal, including the company website, internet research, and even social engineering. These are all similar to the types of behaviors that a malicious hacker would engage in when attempting to breach an organization.

2. Environmental Scanning

During this second scanning phase, the hacker moves from passive to active information gathering by looking for ways to infiltrate the network and bypass any intrusion detection systems in place.

3. Gaining System Access

When the hacker is successful in step two, they shift to step three: attacking the network. During this phase, the hacker gains access to the target, determines where the various vulnerabilities lie, and assesses just how much damage could conceivably be dealt now that they have access.

4. Maintaining System Access

Given that it takes on average 228 days to identify a breach (Sobers, 2021), it is safe to assume that the average cybercriminal isn’t in and out. They stick around as long as possible once they have successfully breached a network. In this fourth stage, the hacker explores ways to maintain their access.

5. Clearing Evidence of the Breach

Just as a breaking-and-entering criminal might take the time to clear any evidence of their crime, cybercriminals are likely to do the same in a digital context. In this stage, the hacker will look for any traces of their activity and remove them.

6. Provision of a Final Report

For their final deliverable, the ethical hacker compiles all the lessons learned from their mission and reports them back to the organization, including recommendations for avoiding future security incidents.

The Advantages of Becoming an Ethical Hacker

There are several advantages to pursuing a career as an ethical hacker. The typical ethical hacker’s salary ranges from approximately USD 91,000 to 117,000 (Salary.com, 2022). Given the exponential and ongoing growth of cybercrime—ransomware attacks alone increased by 148% last year (Zaharia, 2022)—the demand for ethical hackers is expected to remain strong in the coming decades. Furthermore, ethical hackers can take pride in knowing that they contribute to keeping integral networks and systems as secure and high functioning as possible.

While the compensation and availability of ethical hacking jobs are expected to remain high for those considering entering the field, becoming a competitive candidate requires a considerable degree of ongoing education and continual upskilling. Fortunately, EC-Council’s C|EH program provides a solid and well-rounded education in ethical hacking, from learning about emerging attack vectors to malware analysis to real-world case studies.

EC-Council is the leading provider of cybersecurity and ethical hacking credentials, having graduated 220,000 certified cybersecurity professionals in 145 countries. With flexible, hands-on learning opportunities and career progression support, EC-Council certifications will give you a competitive advantage as you navigate the exciting field of ethical hacking.

Source: eccouncil.org

Continue reading

What Are Sniffing Attacks, and How Can They Be Prevented?

The technique of capturing all data packets traveling through a network using a software application or hardware device is known as network sniffing (Mitchell, 2021). Ethical hackers can use sniffing to gain tremendous insights into the workings of a network and the behavior of its users, which can be used to improve an organization’s cybersecurity.

However, when employed by malicious hackers, sniffing can be used to launch devastating attacks against unsuspecting targets. This article will look at what sniffing is, how it can be used for harm, and how sniffing attacks can be prevented.

What Is Sniffing?

In its simplest form, sniffing is the act of intercepting and monitoring traffic on a network. This can be done using software that captures all data packets passing through a given network interface or by using hardware devices explicitly designed for this purpose.

What Are Sniffing Attacks?

A sniffing attack occurs when an attacker uses a packet sniffer to intercept and read sensitive data passing through a network (Biasco, 2021). Common targets for these attacks include unencrypted email messages, login credentials, and financial information.

In some cases, attackers may also use sniffing attack tools and packet sniffers to inject malicious code into otherwise innocuous data packets in an attempt to hijack a target’s computer or other devices.

How Do Hackers Intercept Packets?

There are several ways an attacker can capture packets passing through a network. One popular method is to set up a packet sniffer on a computer connected to the network in question. This computer acts as a proxy between the targeted devices and the rest of the world, allowing the attacker to capture all traffic passing through.

Another common technique is ARP poisoning, in which the attacker tricks devices on the network into thinking they are communicating with another device when they are not (Grimmick, 2021). This allows the attacker to intercept and read all traffic passing between the two “devices.”

Types of Sniffing Attacks

There are two primary sniffing attack types: passive and active.

Passive Sniffing

In a passive sniffing attack, the hacker monitors traffic passing through a network without interfering in any way. This type of attack can be beneficial for gathering information about targets on a network and the types of data (e.g., login credentials, email messages) they are transmitting. Because it does not involve any interference with the target systems, it is also less likely to raise suspicion than other types of attacks.

Active Sniffing

Active sniffing is a type of attack that involves sending crafted packets to one or more targets on a network to extract sensitive data. By using specially crafted packets, attackers can often bypass security measures that would otherwise protect data from being intercepted. Active sniffing can also involve injecting malicious code into target systems that allows attackers to take control of them or steal sensitive information.

Consequences of a Sniffing Attack

A successful sniffing attack can have several severe consequences for the targets. These can include:

◉ Loss of sensitive data, such as login credentials, financial information, and email messages

◉ Injection of malicious code into target systems, allowing attackers to control devices or access sensitive information

◉ Interruption of network traffic, which can cause communication problems and slow down network performance

◉ Exposure of confidential information, such as trade secrets and proprietary data

◉ Damage to the reputation of the organization whose network has been compromised

How Can Sniffing Attacks Be Prevented?

There are many ways to protect your network against sniffing attacks. Some key measures include:

◉ Using encryption to protect sensitive data from being intercepted

◉ Never sending sensitive information over an unencrypted connection

◉ Ensuring that all computers on a network are adequately protected with antivirus and firewall software

◉ Making sure the wireless network is secured using WPA or WEP encryption

◉ Regularly updating all software and devices with the latest security patches

◉ Staying aware of what type of traffic passes through the network and taking steps to protect sensitive information

◉ Using a VPN when connecting to public Wi-Fi networks

◉ Continuously monitoring the network for unusual activity

Source: eccouncil.org

Continue reading

How Ethical Hackers Can Defend Against IoT and OT Hacking

The world is increasingly becoming a more connected place. With the rise of the Internet of Things (IoT), more and more devices can connect online. This trend has led to increased cybercrime, as criminals find new ways to exploit these devices for their own gain (Splunk, 2021a). IoT and OT are two of the most commonly exploited targets in industrial control systems and critical infrastructure attacks. In this article, we’ll explain what IoT and OT hacking are and how ethical hackers can assess and defend against the threats posed by these technologies.

What Is IoT Hacking?

The IoT is a term used to describe the growing number of devices connected to the internet. These devices include smart home appliances like thermostats and refrigerators, medical sensors, and security and alarm systems, among others. The growth of the IoT has led to a corresponding increase in cybercrime and hacking.

Read More: 312-50: Certified Ethical Hacker (CEH)

The main risks posed by IoT hacking include:

◉ Theft of data: Hackers can access sensitive data stored on IoT devices, including passwords, credit card numbers, and health information.

◉ Tampering with data: IoT devices can be used to alter data. This could include tampering with critical infrastructure systems.

◉ Distributed Denial of Service (DDoS) attacks: A DDoS attack occurs when many devices are used to flood a website or other online resource with traffic, causing it to crash or become unavailable.

◉ Spying: Cybercriminals can spy on targets using cameras and microphones on IoT devices.

What Is OT Hacking?

OT refers to the systems that control industrial processes and other critical infrastructure. These systems are often connected to the internet, making them a target for hackers.

The main risks posed by OT hacking include:

◉ Damage to equipment: Hackers can damage or destroy equipment by accessing it remotely. This can cause physical harm to people or disrupt vital services.

◉ Data theft: As with IoT devices, criminals can steal data from OT systems for financial gain or other nefarious purposes.

◉ Hijacking of devices: Control systems are vulnerable to hijacking by hackers, who can use them for their own purposes or to launch attacks on other systems.

◉ Sabotage: Hackers can also use OT systems for acts of sabotage, such as disabling critical infrastructure.

How Can Ethical Hackers Assess IoT and OT Threats?

The primary way that ethical hackers can assess the threats posed by IoT and OT devices is performing vulnerability assessments. A well-trained ethical hacker who’s gone through a course like EC-Council’s Certified Ethical Hacker (C|EH) program can use various tools and techniques to identify security vulnerabilities in IoT devices (Kranz et al., 2021). This involves scanning devices for known vulnerabilities and exploiting them to see what damage they can do.

When cybersecurity experts are performing ethical hacking, they need to be aware of the various ways that criminals can exploit IoT and OT devices.

These include:

◉ Brute-force attacks: In a brute-force attack, hackers attempt to guess passwords or other credentials needed to access devices.

◉ Malware: Malicious software can take control of IoT and OT devices, allowing cybercriminals to steal data or launch attacks on other systems.

◉ Ransomware: Ransomware is a type of malware that encrypts files on an infected device and demands payment for the decryption key (Splunk, 2021b).

◉ Social engineering: Social engineering exploits human vulnerabilities, such as trust, greed, or ignorance, to access devices or information.

◉ Phishing: Phishing is a form of social engineering in which attackers send fraudulent emails masquerading as legitimate ones to steal user credentials or install malware.

◉ Data theft: Criminals can use stolen data from IoT and OT devices for financial gain or other nefarious purposes.

◉ DoS attacks: Cybercriminals can launch DoS attacks on other systems by flooding them with traffic.

By understanding these threats, ethical hackers can develop strategies to protect organizations—for example, implementing security measures such as firewalls, antivirus software, and password policies and educating employees on the dangers of IoT and OT hacking.

The Future of Cybersecurity

The growth of IoT and OT hacking is a clear sign that the cyberthreat landscape is evolving. As more devices come online, the risks posed by cybercrime will continue to increase. Therefore, organizations need to have systems in place to protect themselves against these threats.

Ethical hackers play a pivotal role in helping organizations stay safe in this increasingly hostile environment. Cyberattacks are becoming more sophisticated, but advanced educational programs like EC-Council’s certification courses are ready to teach the next generation of ethical hackers how to fight back.

Source: eccouncil.org

Continue reading

What's the Difference Between Ethical Hacking and Penetration Testing?

Ethical hacker and penetration tester are both important roles in the cybersecurity domain, but some confusion exists regarding the difference between them. In this article, we’ll explain what ethical hacking and penetration testing involve, including what differentiates them from one another.

The two roles do share certain similarities: Ethical hackers and penetration testers both identify vulnerabilities in IT environments and work to prevent different types of cyberattacks. The two professions also have comparable high salaries and growth potential. The U.S. Bureau of Labor Statistics (2021) groups penetration testers and ethical hackers together under the umbrella of “information security analysts,” an employment category with projected growth of 33% between 2020 and 2030. According to PayScale (2021, 2022), the average annual salary for an ethical hacker is $80,000, while the average annual salary for a penetration tester is $87,750. However, despite these similarities, ethical hacking and penetration testing are separate career paths that involve different skill sets. Understanding the difference between the two roles is crucial, particularly for cybersecurity professionals seeking additional credentials, such as EC-Council’s Certified Ethical Hacker (C|EH) certification.

The Role of a Penetration Tester

A penetration test is a coordinated assessment carried out by an independent team contracted by an organization, with the client organization defining the scope of the test. The test scope describes what systems need to be tested and what methods the tester will use. The penetration tester then attempts the client’s system according to the scope outlined by the client. The tester exploits any weaknesses they encounter so that they can quantify the risk these vulnerabilities pose to the client.

After testing is complete, the penetration tester prepares a report that includes an executive summary of the test parameters along with vulnerability classification documents and suggestions for remediation. Testers generate a risk score by pairing the penetration test report with the business value of the targeted systems to calculate the level of risk that a cyberattack would pose to the client. The report’s end goal is to provide the client and their stakeholders with information about any security vulnerabilities in the system and outline the actions required to resolve those vulnerabilities.

Penetration testing has many applications in security maturity modeling and risk management. Businesses frequently use penetration testing to identify vulnerabilities in their security infrastructures that cybercriminals can exploit when launching cyberattacks (EC-Council, 2021c). Organizations also use penetration testing for audit compliance to ensure that their operations adhere to relevant laws, regulations, and company policies. For example, if a company is subject to SEC filing requirements, an independent security audit using penetration testing is needed to validate the integrity of the organization’s security infrastructure (EC-Council, 2021a).

The Role of an Ethical Hacker

While penetration testers focus solely on carrying out penetration tests as defined by the client, ethical hacking is a much broader role that uses a greater variety of techniques to prevent different types of cyberattacks (EC-Council, 2021b). Ethical hackers may be involved in:

◉ Web application hacking

◉ System hacking

◉ Web server hacking

◉ Wireless network hacking

◉ Social engineering tests

◉ Forming blue and red teams for network exploitation attacks

An ethical hacker’s responsibilities are not restricted to testing a client’s IT environment for vulnerabilities to malicious attacks. Ethical hackers also play a crucial role in testing an organization’s security policies, developing countermeasures, and deploying defensive resolutions to security issues. When employed by a company as in-house cybersecurity professionals, ethical hackers may help build the foundations of an organization’s cybersecurity system or augment app, tool, and protocol communication networks (EC-Council, 2021a).

While ethical hackers may use penetration testing in the process of identifying vulnerabilities in a system and quantifying the threat that cyberattacks pose to an organization, penetration testing is just one of the many tools that they use. In short, an ethical hacker’s methodologies and roles are more varied than those of a penetration tester.

The Core Differences Between Ethical Hacking and Penetration Testing

Below is a summary of the key differences between a penetration tester and an ethical hacker (EC-Council, 2021a).

◉ Penetration testers assess the security of a specific aspect of an information system according to an outlined scope. Ethical hackers carry out many types of cyberattacks on an entire system using multiple attack vectors without being restricted by a scope document.

◉ Penetration testers carry out a one-time, limited-duration engagement. Ethical hackers have a continuous engagement that generates more in-depth and comprehensive results.

◉ Penetration testers need a robust knowledge of the domain or area that their penetration tests will target. Ethical hackers need detailed knowledge of hacking tactics, techniques, and procedures so that they can imitate a cybercriminal’s steps.

◉ Penetration testers are not responsible for the client’s security configuration and incident handling. Ethical hackers are required to assist blue teams and incident handling teams in incident containment and validation for different types of cyberattacks.

◉ Penetration testers must be proficient in writing foolproof reports. Ethical hackers generally do not need to be well versed in report writing.

Ethical hackers can and do use penetration testing as one of their many tools for diagnosing security issues in a client’s security system. However, ethical hackers focus more heavily on building and improving a client’s information security system.

In contrast, penetration testers are devoted solely to carrying out tests that identify and exploit weaknesses in a client’s IT environment and providing detailed reports on all identified vulnerabilities, the risk those vulnerabilities pose to the organization, and suggestions for remedial action. A penetration tester is not involved in fixing identified vulnerabilities; likewise, ethical hackers do not produce penetration test reports for clients.

Earn Globally Recognized Cybersecurity Credentials

A career in either penetration testing or ethical hacking offers engaging and rewarding opportunities in an industry that promises employment stability and growth. At EC-Council, we offer globally recognized penetration testing and ethical hacking certification programs, including the C|EH, C|EH Master, Certified Penetration Testing Professional (C|PENT), and Licensed Penetration Tester (L|PT) Master.

Source: eccouncil.org

Continue reading

Cross-Site Request Forgery (CSRF) Attacks: Common Vulnerabilities and Prevention Methods

Cross-site request forgery (CSRF), also known as session riding, is a type of cyberattack in which authenticated users of a web application are forced to submit malicious, state-changing requests created by an attacker. CSRF attacks can:

◉ Alter the target’s records in an application

◉ Submit a transaction

◉ Purchase products using the target’s details

◉ Change passwords

◉ Change registered email addresses in a web application

◉ Send messages under the target’s name

◉ Transfer funds

In some instances, a CSRF attack can give hackers full access to a target’s accounts in the web application. If the targeted individual holds a privileged or controlling position within the web application, the attacker can exploit the vulnerability further to take control of the application and its data—meaning that CSRF defense is a key component of a business’s cybersecurity.

For businesses, CSRF defense represents an area of cybersecurity that deserves attention and investment due to the risk of attackers gaining access to company accounts and funds by submitting malicious requests that alter user accounts. For example, at the beginning of 2021, WordPress discovered that one of its plugins contained an embedded CSRF vulnerability that affected over 50,000 sites (Chamberland, 2021). This vulnerability allowed attackers to inject malicious JavaScript code into websites through the plugin, which attackers then used to force site users to open malicious links or attachments embedded in the affected sites.

How Do Cross-Site Request Forgery Attacks Work?

CSRF attacks often rely on social engineering methods to convince their targets to click on a malicious URL. Once a user clicks on the link, which contains an unauthorized request for a specific web application for which the user has authentication, the user’s browser sends that request to the target application (Synopsys, 2021).

Because the request also includes any relevant credentials, such as user session cookies, the application treats the new request as an authorized request sent by the user. Therefore, a CSRF attack allows cybercriminals to bypass a web application’s authentication process by attacking sites that fail to differentiate between valid and forged requests. Effective CSRF mitigation techniques focus on preventing attackers from bypassing authentication measures with this method.

For a CSRF attack to succeed, three essential conditions must be met (PortSwigger, 2021):

◉ There is a desirable action that the attacker wishes to perform, such as changing a password or transferring funds.

◉ Cookie-based session handling is in place to identify the user.

◉ There are no unpredictable request parameters that the attacker is incapable of determining or guessing, such as needing to know an existing password to create a new one.

If these three conditions are satisfied, an attacker can successfully construct a malicious request in a forged URL or link and convince a user to open the link while in an active session with the target web application. CSRF mitigation normally involves altering the second or third conditions on this list to prevent attackers from using cookie session data to bypass authentication processes or introduce unpredictable request parameters that attackers cannot guess.

Cross-Site Request Forgery Prevention, Mitigation, and Defense

There are three fundamental approaches that you can apply to your application’s CSRF mitigation strategy to prevent CSRF attacks and eliminate vulnerabilities (Demir, 2020):

◉ Using CSRF tokens in HTML forms for critical operation requests in applications

◉ Avoiding using the HTTP GET method for critical operations, such as create, update, and delete actions

◉ Using the “SameSite” attribute of the HTTP “Set-Cookie” response header

Cross-Site Request Forgery Tokens

CSRF tokens, or challenge tokens, are the most common method of CSRF mitigation. These tokens provide applications with a means of distinguishing between a request that was legitimately generated from a user’s interface and one that was not, as in the case of a CSRF attack.

CSRF tokens consist of large, random values unique to each user session and are inserted into HTML forms on both the user and server sides. Any requests generated by the user’s browser must contain the CSRF token. This allows the application server to verify a request as genuine, since a CSRF attack cannot access the token’s information in HTML (Synopsys, 2021).

SameSite Cookie Attribute

The SameSite attribute of the HTML Set-Cookie response header aims to prevent CSRF attacks by helping browsers decide when to send cookies with cross-site requests, as cookie data can allow CSRF attackers to bypass authentication processes (OWASP, 2021). Users can choose between “Lax” and “Strict” attribute values, which respectively allow or block session cookies when they arrive from external websites or when browsers encounter typical CSRF-prone request methods.

Source: eccouncil.org

Continue reading

Defending Against Common Types of Web Application Attacks

Key Points

◉ Web applications can be vulnerable to attacks, which can allow cyber criminals to gain access to data and other sensitive information.

◉ Common web application attacks include cross-site scripting, SQL injections, path traversal, local file inclusion and DDoS.

◉ Automated vulnerability scanning, web application firewalls and proper testing can help protect against web application attacks.

Web application attacks are on the rise and studies show they are one of be the biggest causes of data breaches. Nearly half (43%) of 3,950 data breaches were traced to attacks against web applications, in one report, a number that doubled from 2019 to 2020. Because these attacks are becoming more common, it’s important for organizations to know what they’re up against, how to mitigate risks and how to secure websites against them.

What Is a Web Application?

A web application is software that runs on a web server and can be accessed by a user through a web browser with an active internet connection. This differs from local software apps, which run directly on a user’s device. Web applications are usually easy to install on the user’s end, and can often be customized to meet a business’s specifications. Web application examples include hosted email and messaging, content management systems and e-commerce services.

When a user accesses a web application, it triggers a request to the web server over the internet. The web application queries a content database, then generates content according to the client’s (user’s machine’s) request. The web application server sends the results back to the web server, which interprets and runs the scripts and displays the requested content on the user’s display.

Why Are Web Applications Vulnerable to Attacks?

Web applications can be exposed to attacks for a variety of reasons, including system flaws that stem from improper coding, misconfigured web servers, application design flaws or failure to validate forms. These weaknesses and vulnerabilities allow attackers to gain access to databases that can contain sensitive information. Because web applications must be available to customers at all times, they’re an easy target for attackers to exploit.

Cloud containers, which package application software with the elements needed to run it, have recently been identified as particularly vulnerable when they are not properly secured or they include insecure elements. The use of open source code and reliance on application programming interfaces (APIs) have also been exacerbating security issues.

Common Types of Web Application Attacks

Web applications can be attacked through a variety of vectors. Common types of web attacks include cross-site scripting, SQL injection, path traversal, local file inclusion and distributed denial of service (DDoS) attacks.

◉ Cross-site scripting (XSS): In an XSS attack, an attacker injects a piece of malicious code onto a trusted website or web-based app. Because the user’s browser thinks the script came from a trusted source, it will execute the script. XSS attacks can be used to steal data or perform other malicious acts on the visitor’s computer. While this method is considered unsophisticated, it’s common and can do significant harm.

◉ SQL injection (SQLI): SQLIs occur when an attacker meddles with the queries that a web application makes to its database. An SQLI can allow intruders to get sensitive data from the database. An attacker might modify or delete this data, or inject code that can change the web application's content or behavior.

◉ Path traversal: This attack, also known as directory traversal, allows the bad actor to manipulate paths to folders outside the web root folder, which can then be used to access web application files, directories and commands.

◉ Local file inclusion: This technique tricks the web application into exposing or running its files on the web server. These attacks occur when the web app treats a malicious attack as “trusted input.” An attacker may use path or directory traversal to learn about the files on the server, and then prompt the web app to run the local file. Local file inclusions can lead to information disclosure, XSS and remote code execution.

◉ DDoS attacks: These attacks happen when an attacker bombards a server with web requests. Attackers may use a network of compromised computers or bots to mount this attack, which can paralyze a server and prevent legitimate visitors from gaining access to your services.

◉ Cross-site request forgery (CSRF): CSRFs occur when an attacker tricks or forces an end user to execute unwanted actions on an application in which they are already authenticated. This might be executed through a link via email or chat and, if successful, can result in a transfer of funds or change in email address, for example.

◉ XML external entity (XXE): This attack relies on an improperly configured XML parser within an application’s code. This attack can lead to the disclosure of confidential data like passwords, denial of service, server-side request forgery and other system impacts.

Tips to Protect Against Website Attacks

Even though there are a variety of web application attacks, there are also processes, technologies and methods to protect against them. Different approaches to web application security address different vulnerabilities.

◉ Automated vulnerability scanning and security testing help organizations find, analyze and mitigate vulnerabilities and misconfigurations — hopefully before the actual attack occurs. This testing helps organizations identify security weaknesses that need to be resolved.

◉ Web application firewalls are hardware and software solutions that protect against application security threats by filtering, monitoring and blocking malicious traffic from traveling to the web application. These tools are continuously updated with new rules designed to catch the latest attack and exploitation techniques.

◉ Secure development testing is a practice in which security teams consider the threats and attacks that might have an impact on an application or product to help make it as secure as possible. Secure development testing can uncover the latest security risks and attack vectors early in the product lifecycle. It also helps in developing effective approaches to preventing website attacks and minimizing the consequences of breaches.

The Bottom Line

Web application attacks can be devastating events for organizations, which is why it is crucial to understand the types of attacks that can occur as well as how to best secure web applications. With proper development, testing and security processes and programs in place, businesses can mitigate risks and protect their web applications against it.

Source: mimecast.com

Continue reading

Difference between Cyber Security and Information Security

The terms Cyber Security and Information Security are often used interchangeably. As they both are responsible for the security and protecting the computer system from threats and information breaches and often Cybersecurity and information security are so closely linked that they may seem synonymous and unfortunately, they are used synonymously. If we talk about data security it’s all about securing the data from malicious users and threats. Now another question is what is the difference between Data and Information? So one important point is that “not every data can be information” data can be informed if it is interpreted in a context and given meaning. for example “100798” is data and if we know that it’s the date of birth of a person then it is information because it has some meaning. so information means data that has some meaning.

Examples and Inclusion of Cyber Security are as follows:

◉ Network Security

◉ Application Security

◉ Cloud Security

◉ Critical Infrastructure

Examples and inclusion of Information Security are as follows:

◉ Procedural Controls

◉ Access Controls

◉ Technical Controls

◉ Compliance Controls

Parameters	CYBER SECURITY	INFORMATION SECURITY
Basic Definition	It is the practice of protecting the data from outside the resource on the internet.	It is all about protecting information from unauthorized users, access, and data modification or removal in order to provide confidentiality, integrity, and availability.
Protect	It is about the ability to protect the use of cyberspace from cyber attacks.	It deals with the protection of data from any form of threat.
Scope	Cybersecurity to protect anything in the cyber realm.	Information security is for information irrespective of the realm.
Threat	Cybersecurity deals with the danger in cyberspace.	Information security deals with the protection of data from any form of threat.
Attacks	Cybersecurity strikes against Cyber crimes, cyber frauds, and law enforcement.	Information security strikes against unauthorized access, disclosure modification, and disruption.
Professionals	Cyber security professionals deal with the prevention of active threats or Advanced Persistent threats (APT).	Information security professionals are the foundation of data security and security professionals associated with it are responsible for policies, processes, and organizational roles and responsibilities that assure confidentiality, integrity, and availability.
Deals with	It deals with threats that may or may not exist in the cyber realm such as protecting your social media account, personal information, etc.	It deals with information Assets and integrity, confidentiality, and availability.
Defense	Acts as first line of defense.	Comes into play when security is breached.

Diagrams are given below to represent the difference between Information Security and Cybersecurity. 

In the above diagram, ICT refers to Information and communications technology (ICT) which is an extensional term for information technology (IT) that defines the role of unified communications and the integration of telecommunications (basically digital communication security).

Source: geeksforgeeks.org

Continue reading

Elements of Cybersecurity

Cyber security is the shielding of web associated systems, for example, hardware, software, and information from cyber dangers. The training is utilized by people and ventures to defend against unapproved access to the servers and other electronic systems.

Various elements of cyber security are given below:

◉ Application Security

◉ Information Security

◉ Network Security

◉ Disaster Recovery Planning

◉ Operational Security

◉ End-user Security

Let’s see an explanation of the elements in detail:

1. Application Security: Application security is the principal key component of cyber security which adds security highlights inside applications during the improvement time frame to defend against cyberattacks. It shields sites and online applications from various sorts of cyber security dangers which exploit weaknesses in source code. Application security is tied in with keeping software applications away from dangers. The general focus of application security is on cloud service-based organizations. 

Due to misconfiguration of settings the data of the cloud gets insecure. The fundamental reason for cloud application misconfiguration are:   

◉ Absence of attention to cloud security approaches

◉ Absence of sufficient controls and oversight

◉ Utilization of such a large number of connection points to oversee.

Vulnerabilities of Application: Denial-of-service (DoS) and Distributed denial-of-service(DDoS) attacks are used by some isolated attackers to flood a designated server or the framework that upholds it with different sorts of traffic. This traffic in the end keeps real users from getting to the server, making it shut down. A strategy called SQL injection (SQLi) is used by hackers to take advantage of database flaws. These hackers, specifically, can uncover user personalities and passwords and can also create, modify and delete data without taking permission of the user.

Types of Application Security: The types of Application Security are Authentication, Authorization, Encryption, Logging, and Application security testing.

Tools of Application Security: The various tools of application security are firewall, antivirus, encryption techniques, web application firewalls that protect applications from threats.

2. Information Security: Information Security is the component of cyber security that denotes the methods for defending unapproved access, use, revelation, interruption, modification, or deletion of information. The protection of the companies data, code, and information that is collected by the company from their clients and users is protected by Information security. The primary standards and principles of Information security are Confidentiality, Integrity, and Availability. Together it is called as CIA.

◉ Confidentiality: The protection of information of authorized clients which allows them to access sensitive information is known as Confidentiality. For example, assuming we say X has a password for my Facebook account yet somebody saw while X was doing a login into the Facebook account. All things considered, my password has been compromised and Confidentiality has been penetrated.

Integrity: The maintaining of consistency, accuracy, and completeness of the information is known as 

◉ Integrity. Information cannot be modified in an unapproved way. For example, in an information break that compromises the integrity, a programmer might hold onto information and adjust it prior to sending it on to the planned beneficiary. Some security controls intended to keep up with the integrity of information include Encryption, Controls of Client access, Records Control, Reinforcement, recovery methodology, and Detecting the error.

◉ Availability: The information which can be accessed any time whenever authorized users want. There are primarily two dangers to the accessibility of the system which are as per the following:

- Denial of Service

- Loss of Data Processing Capabilities

3. Network Security: Network security is the security given to a network from unapproved access and dangers. It is the obligation of network heads to embrace preventive measures to safeguard their networks from potential security dangers. Network security is one more element of IT security which is a method of defending and preventing unapproved access into computer networks.

◉ Network Security Strategies: There are numerous strategies to further develop network security and the most well-known network security parts are as per following: Firewalls, Antivirus, Email Security, Web Security, Wireless Security.

◉ Network Security Software: There are different types of tools that can shield a computer network like Network firewall, Cloud application firewall, Web application firewall, etc.

4. Disaster Recovery Planning/Business Continuity Planning: The planning that describes the continuity of work in a fast and efficient way after a disaster is known as Disaster Recovery Planning or Business Continuity Planning. A disaster recovery technique should begin at the business level and figure out which applications are generally vital to run the activities of the association. Business continuity planning (BCP) is tied in with being ready for cyber danger by distinguishing dangers to the association on schedule and examining how activities might be impacted and how to conquer that.

The primary objectives of disaster recovery planning include:

1. Protect the organization during a disaster

2. Giving a conviction of security

3. Limiting the risk of postponements

4. Ensuring the dependability of backup systems

5. Giving a standard to testing the plan.

6. Limiting decision-production during a disaster

• Disaster Recovery Planning Categories: The categories of Disaster Recover Planning are
• Data Center disaster recovery
• Cloud applications disaster recovery
• Service-based disaster recovery
• Virtual disaster recovery
• Steps of Disaster Recovery Planning: The steps are:
• Acquire Top Management Commitment
• Planning panel establishment
• Performing risk management
• Establish priorities for handling and tasks
• Decide Recovery Strategies
• Data Collection
• Record a composed plan
• Build testing rules and methods
• Plan testing
• Support the plan

5. Operational Security: The process that encourages the managers to see the activities according to the viewpoint of a hacker to protect sensitive data from various threats is known as Operational Security (OPSEC)n or Procedural security. Operations security (OPSEC) is utilized to defend the functions of an association. It tracks basic data and resources to distinguish weaknesses that exist in the useful technique.

• Steps of Operational Security: There are five stages to deal with the operational security program, which are as per the following:
• Characterize the association’s delicate data
• Distinguish the types of dangers
• Investigate security openings and weaknesses
• Evaluation of Risks
• Execution of accurate countermeasures
• Practices of Operational Security: The best practices of Operational Securities are:
• Implement exact change management processes
• Limit access to network devices
• Minimum access to the employees
• Carry out double control
• Task automation
• Reaction and disaster recovery planning

6. End User Education: End-user training is most the significant element of computer security. End users are turning into the biggest security threat in any association since it can happen whenever. One of the primary errors that lead to information breaks is human mistakes. An association should prepare its workers about cybersecurity. Each representative should know about phishing attacks through messages and interfaces and can possibly manage cyber dangers.

Threats of End-User: There are many reasons, that danger can be made. The end-user dangers can be made in the following ways:

◉ Utilizing of Social Media

◉ Text Messaging

◉ Utilization of Email

◉ Applications Download

◉ Creation and irregular uses of passwords

Source: geeksforgeeks.org

Continue reading

Cloudflare Reports It Prevented Largest HTTPS DDoS Attack on Record

The attack was launched by a 5,000-device botnet and peaked at 26 million requests per second.

Last week, content delivery network Cloudflare reported that its systems had detected and prevented the largest HTTPS Distributed Denial of Service (DDoS) attack in history. The attack was launched by a “small but powerful” botnet and hit 26 million requests per second at its peak.

According to a blog post by Cloudflare product manager Omer Yoachimik, the attack “targeted a customer website using Cloudflare’s free plan.” Despite comprising just 5,067 devices, the botnet that launched the attack produced over 200 million HTTPS requests from over 1,500 networks in 121 countries—in under 30 seconds.

Cloudflare highlighted the botnet’s reliance on cloud service providers rather than residential internet service providers. This implies “the use of hijacked virtual machines and powerful servers to generate the attack” rather than “much weaker Internet of Things (IoT) devices,” according to Yoachimik.

This computing power made the botnet much more powerful than its relatively small size would suggest. “To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices,” Yoachimik said. “Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.”

Yoachimik also emphasized that last week’s attack took place over HTTPS. Since HTTPS DDoS attacks require establishing an encrypted TLS connection, they consume more computational resources than DDoS attacks carried out over HTTP, making the enormous scope of this attack even more striking.

“We’ve seen very large attacks in the past over (unencrypted) HTTP,” Yoachimik said, “but this attack stands out because of the resources it required at its scale.”

Just two months ago, in April 2022, Cloudflare saw another massive DDoS attack, which it reports was also automatically detected and mitigated by Cloudflare’s systems. That attack targeted a crypto launchpad, a type of platform supporting cryptocurrency and blockchain projects.

Like last week’s attack, the April attack relied heavily on cloud computing power and was also carried out over HTTPS. At 15 million requests per second, most of which were generated by datacenters, it was previously the largest HTTPS DDoS attack to date, according to Cloudflare.

Last August, Cloudflare disclosed it had stopped another record-breaking DDoS attempt, which clocked in at over 17 million requests per second. At the time, that attack was nearly three times bigger than any other to date.

— Lev Craig is an editor at EC-Council.

Source: eccouncil.org

Continue reading