- Improper coding, or programming, practices can lead to a Web vulnerability known as remote code execution. Remote code execution allows a hacker to execute program code, with full system-administrator permissions, on a vulnerable computer and so extract any information contained on it. Remote code execution is a highly critical Web vulnerability that can lead to total system compromise. According to Symantec, systems that were vulnerable to remote code execution in the past included the free Web publishing software package, Drupal, and the PayPal shopping cart, which allows users to purchase items from websites.
- Many database-driven websites are vulnerable to an attack known as SQL injection. Essentially, a hacker inserts, or injects, malicious SQL commands into the data he enters into a computer program. The program builds a dynamic command string, including the malicious code. When executed, the code can extract sensitive data from the database, insert, update or delete data or take the database offline completely. SQL injection is an old, well-known Web vulnerability, but it is still popular with hackers because it is typically easy to detect and easy to exploit.
- A Web vulnerability known as cross-site scripting relies on enticing, or tricking, the victim to visit a malicious Web page, which appears legitimate at first glance. If the victim visits such a page, a hacker can execute malicious code, such as JavaScript, in the victim's Web browser. Hackers can also use this method to create a botnet -- a network of hundreds or thousands of computers infected with malicious code -- that can be used to distribute spam or viruses, or both, and to mount denial-of-service attacks on other computers on the Web.
- Commercial, off-the-shelf, software products tend to be more popular with hackers than customized, or proprietary, software products. A Web vulnerability, once it is identified in a single off-the-shelf software product, can be exploited over and over again on computers with the same software installed, whereas a vulnerability in a proprietary product can probably be exploited just once, on a single computer.
next post