Our Blog Next Previous

Web Security exploits

Web Security Exploits

For many web application owners, it should be one of the main priorities to have stable and secure page against different web security vulnerabilities since there are quite a lot of them. The impact created on online e-commerce pages is much greater simply because of the wide exposure they have.

A vulnerable website can lead to extensive and irreversible problems that could cause a lot of expenses for owners, unhappy customers and a decrease in sales. Most often this happens due to fact that many web developers do not have enough knowledge on web page security which leads to holes in your system. In many cases, it is too late when you acknowledge that your website can be or is exploited by attackers. Although cybersecurity advances rapidly, alongside advances hackers approach as well. There are multiple reasons why attackers are willing to do harm and it’s not always the money. Few of the reasons are to steal or leak information, disrupt services — just take something down, make a point, driven by some political, idealism or other motives, but mostly it’s for their personal value — money and valuable data.

Small businesses mostly do not confront with powerful hacking attempts, instead those that are using comparably simpler exploits to manipulate your website. Some of them are well-known methods like — SQL injections, cross-site-scripting (XSS), remote code executions, username enumeration, inaccurate security configurations, and many others. It is recommended to spark your mind on web security early before attacks.

SQL Injection

SQL injection method is one of the most attractive methods to exploit websites. SQL injection is a result from failed filtration of user input which passes unfiltered data to the website server. For example, once user input data is executed straight from an SQL query, which is a bad example of coding, it can lead to significant complications. Execution of harmful code can give access to the database which consists of sensitive data or allows to execute SQL commands to add, delete or update database queries. This can lead to loss of important data and hijacking clients browser. The good news is that preventing SQL injections can be achieved by using correct methods to process input data and properly filtering all website inputs.

Cross-site Scripting (XSS)

Cross-site scripting (XSS) is another widely used website exploit which alike to SQL injection is users input sanitization or validations failure. This method represents holes in users input in a way that attacker can execute javascript code by inserting script tags like “<script>” in an input. In other words, it means that HTML tags are allowed within the input fields. Websites that do not have proper validation or encryption are vulnerable for scripts to be executed into the browser. This method is used to hack customers in an indirect way. Once the user attempts to access the infected page — the script is executed. Javascript code can then access cookie objects and post customer’s cookie to the attacker’s server. From there attacker has access to your session tokens which provides access to user’s accounts. There are special functions that are used to encode users inputs to avoid these attacks, but website developers might just not know or forget about these validations that must take place on user inputs.

Username enumeration

Username enumeration can also be small a flaw in eCommerce security. This method exploits trivial usernames and passwords like admin/admin or username/password which allows attackers to execute username and password guessing programs and get access to these accounts with simple credentials. This is why many web applications tend to add extra password validations for users on registration to avoid using too simple passwords. Username enumeration also includes incorrect error messages once attempting to log in. Consider website displaying message “Incorrect Username/Password combination” instead of “Username does not exist” and “Wrong password”. This would make sure attackers would never know whether the used username is existing or not reducing the chances of successful hacks. By executing so-called brute force attacks, the number of searches significantly reduces to find correct password once you know for sure that chosen username exists.

Wait, there’s more

There are many other vulnerabilities, for example, remote code execution which can be exploited in a similar way once users input is injected into file or string and evaluated by programming language parser. A commonly used mistake is used by insecure direct object references. For example, under link — download.php?file=something.txt which is a file which would normally download files for customers, either by mistake or laziness, developers might have granted authorization from the code allowing to download any system files. Specifically for eCommerce websites, there is a vulnerability which allows manipulating the total price of an order. Manipulations of the price most commonly can be used under dynamically generate websites where total payable price happens to be under hidden HTML field. By using web application proxy such as “Achilles” price can be manipulated once data is being sent from browser to web server. Security configurations also envelopes openness to security flaws. Secure configurations must be developed from different standpoints — application, framework, application server, web server, database server, and platform to avoid any aggression.

Security and Magento

One of the most commonly used eCommerce platforms — Magento also had some security flaws. Between Magento 1 and Magento 2 versions, Magento 1 which is still supported and present for many online shops, has some poor vulnerabilities. Many online shop owners tend to use regular usernames and admin links like “admin” which makes credentials less secure. This increases chances for attackers to find your password as well, but the main issue hides within the fact that by just having admin panel credentials you can basically access, delete or change anything within the database. Magento 1 extension manager is the key to being able to exploit the website with this method. A custom extension can be uploaded using extension manager and attackers infected code can be executed to manipulate with a database.

Website security is a crucial and attention demanding measure of web development and those with wrong intentions will always find holes in the system. Stephane Nappo said: “It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”.

Cyber-security will always be evolving and improving, but so will hackers with harmful motives. Therefore, websites should be developed considering different types of vulnerabilities and maintained with tight security control. Regular maintenance and updates, installing firewalls and security applications, deploying SSL and keeping regular database backups are few ways to practice web security. Don’t get caught with your pants down and always be ready to protect yourself and your company’s future.

Ansis Kengis
Magento Developer & Team Lead
Feb 04
Read all our posts