Website vulnerabilities and threats.
What is a website vulnerability?
In web security, the term website vulnerability is used to indicate bug in the site code or server software, using which can disrupt the integrity of the system and cause malfunction.
Vulnerability can be the result of programming errors, design flaws in site design, unreliable passwords, the possibility of script and SQL injection, and attacks on the site.
Usually a vulnerability allows an attacker to “deceive” an Internet application – to force him to commit an action that he should not have authorization .
This is done by introducing data or code into the program in such a way that the program will treat them as “their own”.
In most cases, the vulnerabilities appear due to insufficient verification of the data entered by the user, and allow arbitrary commands to be inserted into the interpreted code.
Many vulnerabilities appear due to more complex problems, such as writing data to the buffer without checking its boundaries (buffer overflow).
Some vulnerabilities are known only theoretically, but most vulnerabilities are already being actively used and have known exploits.
What is kind of vulnerabilities do sites have?
Let’s start with the most common vulnerabilities that are found in most websites
Cross Site Scripting / XSS vulnerability
Cross-site scripting is error in validating user data that allows you to pass JavaScript code to execution in the user’s browser. Attacks of this kind are often also called HTML injections, because the implementation mechanism is very similar to SQL injections, but unlike the latter, the implemented code is executed in the user’s browser.
SQL-injection
All data, as a rule, is stored in special databases, the calls to which are built in the form of queries, most often written in the special language of SQL queries (Structured Query Language – structured query language).
Applications use SQL queries to receive, add, modify or delete data, for example when editing a user’s personal data or filling out a form on the site. If there is insufficient data verification from the user, an attacker can insert into the form of the Web interface of the application a special code containing a piece of SQL query.
This type of attack is called injection, in this case the most common is SQL injection. This is a dangerous vulnerability that allows an attacker to gain access to the database and the ability to read / modify / delete information that is not intended for him.