These attacks take advantage of input validation vulnerabilities in custom Web application code to send unauthorised SQL commands to a back-end database. For example, using SQL injection, an attacker may gain access to the entire contents of a backend database including identity information. SQL injection is usually carried out by an external attacker from outside the perimeter firewall.
Such attacks take advantage of script injection vulnerabilities in custom Web application code to redirect a customers login credentials to an attacker. Often used as part of a larger phishing scheme, cross-site scripting is usually carried out by an external attacker from outside the perimeter firewall.
Cross-site request forgery
This exploits a servers trust in a client that presents a valid session token. The attacker abuses this trust by invoking an action on behalf of the victim through malicious code in a hyperlink, image source tag, script, iframe or other content.
These take advantage of vulnerabilities in underlying operating systems and commercial software platforms. Code Red, Nimda, and MSBlaster represent just a few widely known worms targeting Web application platform software. In the case of identity theft, platform software vulnerabilities may be exploited by worms (or individual attackers) to install Trojan horse programs to enable back-door access to identify information.
Stree Naidu is vice president, Asia Pacific and Japan for Imperva, a data security specialist.
Sign up for Computerworld eNewsletters.