Achilles heal web application: Is your online business immune to web attacks

A classical firewall is ineffective in this situation! Because it fulfills exactly the purpose for which it was designed, namely the so-called transport layer of a query. Does its outward appearance fulfill certain criteria? Does it display a certain “ID card”? If so, it is waved on by the firewall and its likes without any further questions. But nobody is looking into the “pockets” of the query.

However, it is exactly here where dangers are lurking. For example, at first sight an injection attack looks like a harmless request. However, if an hacker enters a SQL command into the “Name” field instead of the last name and this command is accepted, it can retrieve sensitive information from the data base illegally. Malicious queries in large quantities can actually immobilize complete web applications - for example when they trigger data base inquiries that require complex calculations.

With “man-in-the-middle” attacks the data thief steps between both communication partners – bank and customer for example. Since he makes both parties believe that he is the other conversation partner, he is able to redirect data streams to his address. Regardless of whether it is session riding – taking over a HTTP session illegally – or cross site scripting where the user’s browser is attacked: Data thieves manage to get access to false identities. This way they can conduct all kinds of business transactions under the victim’s name, from fake money transfers to drawing credits Dispokrediten. The result are serious financial loss and, even more importantly, loss of face and trust which are hard to repair.