Common attacks on the web
An antivirus and a correctly configured firewall help agains malware and keep attackers from infiltrating your computer. However, as the main window to the internet, a web browser is often left unprotected out of convenience. Today everything is on the web, but a web browser only creates outgoing connections and uses a few standard ports. Hence, filtering only a part of the web traffic is difficult.
Cross-site request forgery
Another common attack is cross-site request forgery (CSRF, Estonian: päringuvõltsing). If XSS abuses the user's trust in the web site then CSRF works the other way around - it abuses the web sites trust in the (authenticated) user. In cross-site request forgery a request is sent to the web page on behalf of the user, usually without the user being aware of it. Web site executes the request as it comes from a trusted (authenticated) user.
<img src="http://bank.com/transaction.php?sender=Victim&receiver=Attacker&sum=100" />
Most probably, this web address does not contain an image, but the request is made to the bank website nevertheless. If the victim is authenticated (logged in) to the bank, this request might actually work.
SQL-injection allows an attacker to gain access to the database of the web service. Like XSS, the vulnerability comes from insufficient validation of user's input. User input values may be directly included in the database queries without any validation and hence the attacker may change the behavior of those queries.
Structured Query Language (SQL) is a language that is used to request and modify data in a database. SQL-injection is one of the most common web-based attacks today. More information about this attack vector can be found from the article 14 Years of SQL Injection and still the most dangerous vulnerability and from the web site of W3C.
A blind SQL-injection is a type of SQL-injection where the attacker does not directly see the results of the query. For example, it is possible that an error message is shown on incorrect query while nothing is shown if the query was successful. In this case the attacker can guess the database schema (table and column names) and perform the attack with trial and error. More information can be found from OWASP page for blind SQL-injection.
Task: Try the sql-injection demo on the following webpage: https://free.codebashing.com/free-content/python/sql_injection. It asks for registration but does not actually verify the email address or phone number.
You may have to read a brief introduction about the SQL syntax and the information about SQL "SELECT" and "WHERE" commands.
How to avoid these attacks
Logging out of web services helps against cross-site request forgery as you are not "trusted" by the web service anymore. Web browsers also try to detect XSS and CSRF attacks but this does not work every time.
XSS, SQL-injection and CSRF attacks can be mitigated by the web services themselves. Strict user input validation helps to protect against XSS and SQL-injection attacks. If HTML (or similar) code in forum posts is not absolutely necessary, it should disabled. If code input is still necessary, it must be validated against a strict whitelist.
Cross-site request forgery attacks can be mitigated by asking the user to authenticate again for security-critical requests like making a bank transaction. However, this is inconvenient for the user. Alternatively, the web site can attach a unique randomly generated token (CSRF token) to each web form it provides for a user. On submitting the form, the token provided by the user should be validated against a token stored on the server. This guarantees that the request comes from a valid page. Such token must be tied to a specific user and be one time use only. Unfortunately, if the page contains an XSS vulnerability, it is possible to bypass this validation.