An attacker may ?¬?ll such a form with cleverly crafted SQL commands
rather than the data he was prompted to enter. If the software
behind the website is not well designed, the commands
entered by the attacker might end up being executed. As a result,
the invader may trick the website into displaying page data
such as the shipping address or the credit card data of all the
customers in the unprotected database.
A less-subtle attack involves compromising the entire store at
once, by breaking the website itself (for example, by DoS??”
?¬‚ooding the software with too many requests and bypassing
protections when the program collapses) or just gaining access
to the machine hosting the DB with any of the methods
described so far. As strange as it may seem, customer data can
sometime make its way from those databases to the laptops of
the website??™s personnel. Such laptops can then be promptly
stolen or forgotten on taxis, on subways, and in waiting rooms
with the obvious consequences for the data they contain.
As with the man-in-the-middle attack class, in this case there are
countermeasures that can be set up for coping with these
threats. Well-engineered queries, encrypted stores, secure sessions,
and minimal attack surface on servers are all ef?¬?cient
methods of mitigating risks.
Pages:
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70