2.4 Explain common social engineering attacks, threats, and vulnerabilities.

//2.4 Explain common social engineering attacks, threats, and vulnerabilities.
2.4 Explain common social engineering attacks, threats, and vulnerabilities.2022-09-05T21:58:49+00:00

2.4 Explain common social engineering attacks, threats, and vulnerabilities.

  • Social engineering
    • Phishing
    • Vishing
    • Shoulder Surfing
    • Whaling
    • Tailgating
    • Impersonation
    • Dumpster Diving
    • Evil Twin
  • Threats
    • Distributed Denial of Service (DDoS)
    • Denial of Service (DoS)
    • Zero-Day Attack
    • Spoofing
    • On-Path Attack
    • Brute Force Attack
    • Dictionary Attack
    • Insider Threat
    • Structured Query Language (SQL) Injection
    • Cross-Site Scripting (XSS)
  • Vulnerabilities
    • Non-Compliant Systems
    • Unpatched Systems
    • Unprotected Systems (Missing Antivirus / Missing Firewall)
    • EOL OSs
    • Bring Your Own Device (BYOD)

Social Engineering

There are several types of social engineering attacks.  Social engineering takes advantage of a human’s feelings to get them to do things that they wouldn’t normally do.

PhishingPhishing is a malicious attempt to obtain your login credentials or other sensitive information.   A hacker will set up a website that appears to look legitimate (it could be for an online service such as e-mail or a bank).   

The hacker will send a link to the website, via e-mail, to thousands or millions of people.  The e-mail might contain a threat (for example that the account will be locked out if the user doesn’t respond). Some people are dumb enough to open the e-mail and visit the fake website.  And a few of those people will try to log in with their real credentials.  

The hacker will capture the credentials and later use them to break into the users’ online accounts  

A phishing website is usually easy to detect if you’re an expert, but many regular people get tricked.  It will have

-The wrong domain name
-Lack of an extended validation certificate
-Possible spelling mistakes  

Once somebody reports the phishing attempt, authorities will shut down the website.  But it can be difficult to identify and warn all the people who accessed the site.    

Vishing is just like phishing, except that it uses the telephone to trick people.  
Spear PhishingSpear Phishing is the same as phishing, except that it targets a specific company or person.  It usually targets somebody who is rich or powerful.  The hacker will research the company, its users, and its policies, to devise an e-mail or scenario that tricks a specific person into handing over their credentials.   Spear Phishing can use

-A person pretending to be from the IT, HR, or accounting department

-A website disguised as a legitimate company website  

Spear Phishing can be detected by instituting strong controls and educating users. Users should know not to give their usernames/passwords to others, regardless of who they are.  

We might also call this Whaling.  
Shoulder SurfingA hacker will look over your shoulder when you are accessing sensitive data, and observe you typing in your username/password  

A hacker doesn’t have to be physically present (it’s possible to shoulder surf by viewing surveillance camera footage, and due to security vulnerabilities, many security cameras are accessible over the internet)  

Difficult to detect shoulder surfing  

Prevent shoulder surfing
-Install a privacy screen over your laptop
-Don’t access sensitive resources in public places  
TailgatingIf a door is protected by an access card reader or a lock, each person who enters must swipe their card or unlock the door.  

A hacker who does not have a key or a key card will attempt to enter by following somebody else in.  This is known as tailgating.  

Tailgating can be prevented by requiring every person who enters to swipe their card and/or by installing man trap doors.  Institute a policy to ensure that each person swipes their card when they enter.  
Dumpster DivingA hacker will dig through a garbage can to find sensitive documents and files.  A hacker can find sensitive data on USB drives, DVDs, and hard drives that are not properly disposed of.  

Dumpster Diving can be prevented by shredding sensitive documents and media.  
Evil TwinA wireless client will connect to the access point that has the highest signal (typically the one that is nearest to the client).  In an Evil Twin attack, the hacker deploys a wireless access point with the same SSIDs as the legitimate access points, but with a higher signal strength. 

Clients that are preconfigured to connect to the SSIDs will connect to the evil twin.   

The evil twin will pass data between the client devices and the legitimate access point.  This ensures that nobody ever detects the presence of the evil twin.  The hacker can connect to the evil twin and capture all of the data transmitted through it.  
ImpersonationImpersonation is acting like another person.  The thief will pretend to be a person known to the victim (or employed in a position known to the victim) and steal information from the victim through trickery.  

Impersonation can occur via e-mail, telephone, or in person.  

The type of impersonation  

-IT help desk person.  The thief acts like a member of the IT help desk and calls the victim asking for access to the computer or access to some information that the victim possesses.  

-Manager/CEO.  The thief acts like a member of senior management and uses their position of authority to obtain information.  The user is too intimidated to say no.  

-Co-Worker.  The thief acts like a co-worker and uses their friendship to obtain information.  

-Government Official/Law Enforcement.  The thief acts like a member of law enforcement and uses threats or intimidation to obtain information.  

-Contractor/Janitor.  The thief acts like a contractor and obtains unauthorized access to the building and then steals information.  

The thief will normally have obtained information that the victim will know (information about a project, co-worker, manager, etc.).  By name-dropping and information-dropping, the thief will appear legitimate to the victim.


Even if the social engineering doesn’t work, hackers can still get you.  Let’s look at some of the ways they can do this.

DoS – Denial of Service

Remember that there are millions of web servers operating on the internet.  Some of them host websites.  If a hacker wants to bring down a web server, he could flood that server with massive amounts of traffic.  The web server would then be unable to respond to legitimate traffic, and ordinary users would be unable to visit the website.  This is known as denial of service.  Many services connect to the internet, including credit card processing systems, government databases, etc., and, and all are vulnerable to DoS.

There are many types of DoS attacks

  • SYN flooding.  When a client connects to a web server, a three-way handshake (SYN, SYN/ACK, ACK) process occurs between the two computers. 

    • The user sends a SYN message to the server; the server responds with a SYN/ACK message to the user, and the user responds with an ACK message to the server.  Each time a server replies with its SYN/ACK message, it opens a connection and waits for the ACK response.  Once the ACK response is received, the server completes the connection.

    • In SYN flooding, the hacker imitates a legitimate user and sends more SYN requests than the web server can handle.  The web server responds with the SYN/ACK response, but the hacker does not complete the third part by sending the SYN.

    • The server keeps a connection open waiting for an ACK message that never arrives.  The server can only keep a limited number of connections open.  If all of them are waiting for ACK messages that will never arrive, then the server won’t be able to establish connections with legitimate users.

  • Fragmenting.  Remember that data travelling over the internet is broken up into pieces known as packets.  The packets may take different routes to reach their destination, and the receiving computer puts the packets back together.  The data in each packet should not overlap.

    • In a fragmenting attack, the hacker send data to the server, but puts overlapping data into each packet

    • The server attempts to put the data back together but can’t.  If the operating system isn’t equipped to recognize this attack and discard the bad packets, then it will crash.

Most DoS attacks are preventable.

  • A hacker will not have enough bandwidth to bring down a large web service.  Major websites such as Google, Facebook, eBay, etc. use distributed server farms consisting of millions of servers, with redundant pathways to the internet.  A hacker will not have enough capacity to overload their systems.

  • Most enterprise systems contain firewalls that can easily detect and block DoS attacks.  If a substantial amount of illegitimate traffic appears to be originating from a single source, it can simply be turned off.

  • For a small monthly fee, services such as CloudFlare offer large-scale cloud-based firewalls to protect smaller websites from DoS attacks.  CloudFlare is effectively giving each website the same capacity as a website like Google.  Since it is not likely that multiple DoS attacks will take place at the same time, all of the websites behind CloudFlare’s firewall can stay operational.

Distributed Denial of Service was invented after DoS became less effective.

With DDoS, a hacker infects thousands (or hundreds of thousands) of computers (or other IP devices such as cameras) and uses all of them to send traffic to a web server that he wants to crash.  We call an infected device a bot, and multiple devices make up a botnet

Traffic from a botnet is difficult to filter because it appears legitimate and is in fact originating from hundreds of thousands of different sources, in different geographic locations, different internet service providers, and different computer types.

The botnet operator will continue to acquire additional bots, to grow his botnet.  The operator may lease his network of bots to a person or organization that wants to bring down a website (for revenge, competition, or other reasons).

How to prevent

  • Services such as CloudFlare use large scale cloud-based firewalls to mitigate DDoS attacks.  Part of their technology includes CAPTCHAs to filter traffic from bots.

  • Users should use antivirus and firewall programs to prevent their computers from becoming infected and turned into bots.

  • Manufacturers of IP cameras and wireless routers should put in the effort to make their devices more secure (so that they do not become infected and used in DDoS attacks).

Zero-day Attack

A Zero Day Attack is one that uses a Zero Day Exploit.  A Zero Day Exploit is a vulnerability in a software program or system that has just been discovered; therefore, there is no patch.  Day Zero is the day that the exploit is first revealed by the public.

A hacker might discover a zero-day vulnerability and use it to exploit systems for days, weeks, or even years before it is detected.  Hackers sell zero-day exploits to other hackers and to government agencies, sometimes for millions of dollars.  Some intelligence agencies purchase and store zero-day exploits until they need to use one to attack a high-value target.  Once the exploit is known to the public, the software manufacturers and antivirus companies will work to patch it, usually in a matter of days.

The Zero Day vulnerability is not a form of malware.  It is simply a backdoor that a hacker can use to insert some form of malware, which could include a Man-in-the-Browser or DDoS.


Spoofing is when a hacker can impersonate another device or user.  Three things can be spoofed: an IP address, a MAC address, or an e-mail address.

Recall that each network device is assigned a unique IP address.  Two network devices can communicate over a WAN or public network if they know each other’s IP addresses.  A hacker can intercept their communication by changing his machine’s IP address to match that of one of the devices.  This method takes special skill and control/modification of network routers, because

  • Most network devices/computers will detect the IP address conflict and alert the user.

  • The device whose IP address is spoofed will not receive any traffic because it is being intercepted by the hacker’s computer.  The hacker’s computer would have to pretend to be the legitimate computer and carry on the communication.

  • To remain undetected, the hacker will have to intercept the IP traffic through the router and then forward it to the legitimate recipient.

A broadcast IP address is a special type of IP address that exists in every network.  The broadcast address allows a device to send a single message to all the IP addresses on that network segment.  One type of broadcast message is known as an “echo”.  Devices receiving the “echo” message reply to the sending device.

In a Smurf Attack, the hacker forges the “from” portion of the echo message so that it appears to have come from another system.  The device whose address appears in the “from” portion will receive all the replies.  Depending on the size of the network, and the number of echo messages sent, the hacker’s device could receive hundreds or thousands of replies.

In any TCP/IP communication, data is broken into fragments known as packets.  The sender numbers each packet in order (1, 2, 3, etc.), but the increment is not necessarily one.  It could be any random integer (for example, 1, 5, 9, etc.).  The hacker must be able to guess the correct sequence number and increment when creating spoofed packets.  A hacker can do so by intercepting enough packets and analyzing their sequence numbers.

How to prevent

  • Encrypt all traffic.  An IP spoofing attempt will not allow a hacker to read encrypted traffic.

  • Set firewalls to drop traffic that originates from outside the network but appears to come from inside the network (could indicate that the address has been spoofed).

Recall that each network device is manufactured with a unique, unmodifiable (in theory) MAC address.  On a LAN, one security measure to prevent rogue devices is to only allow traffic between trusted MAC addresses.  If an intruder attempts to connect a new device to the network, it will not be permitted to communicate.

If a hacker learns the MAC address of a legitimate network device, he can change his device’s MAC address and gain access to the network (and to the traffic originally directed to the legitimate device).

How to prevent

  • Require additional user authentication before allowing a device to access the network

  • Use port security on switches.  A switch can remember which MAC address sent traffic on which port.  If the switch detects the same MAC address on a different port, it can either shut down the port or alert an administrator of the discrepancy.

A hacker can also spoof an e-mail address.  Think of an e-mail like a letter.  It has a “to” address and a “from” address.  I could send a letter and use somebody else’s “from” address because nobody at the post office will check that I own the address.  An e-mail is the same.  A spammer could spoof the “from” address and make it look like the e-mail came from a legitimate source.  How can we stop this from happening?

Remember that the sender must use an e-mail server to send the e-mail.  This server has a unique IP address.  If the legitimate sender has control over his domain name and server, he can create a Text entry (in the DNS records) called the SPF and put the IP address of his e-mail server in there.

When a recipient receives an e-mail, it checks the IP address in the SPF belonging to the legitimate sender.  If it matches the actual source of the e-mail, then he knows that the e-mail is legitimate.

DKIM or DomainKeys Identified Mail is another way to identify an e-mail’s legitimate sender.  A user of DKIM creates a unique signature via public key cryptography.  It’s essentially a signature that can’t be forged – it has two parts, a private key that only the sender knows, and a public key that recipients can use to verify his identity.  The legitimate sender places a copy of the public key in DKIM (in the DNS records).  He uses the private key to digitally sign every e-mail he sends.  When a recipient receives an e-mail, he verifies that the signature matches the public key in the record.

On Path Attack

In a Man-in-the-Middle (also known as an On Path) attack, a hacker inserts himself between the sender and recipient of an electronic communication.  Keep in mind that more than 60% of internet traffic is machine generated (one computer talking to another with no human interaction).

Consider that Alice and Bob are two hypothetical internet users having an encrypted conversation.  They could be two humans, or it could be that Alice is an online banking user and Bob is the bank.  The purpose of the communication is irrelevant.  Eve, the hacker, wants to spy on them.

Alice and Bob’s messages pass through a central server.  Depending on Alice and Bob’s geographical locations, the messages may pass through many servers, routers, switches, fiber optic cables, and copper lines.  The internet is fragmented, and different parts are owned by different companies.  If Alice is in New York and Bob is in Los Angeles, the traffic must pass through many states, and many internet service providers.

  • If the traffic between Alice and Bob is unencrypted, and Eve can obtain access to one of the servers, routers, switches, or physical connections, then Eve can spy on the conversation.

  • If the traffic is unencrypted, but Alice does not have access to one of the servers in the connection, Eve could trick Alice into sending messages addressed to Bob to her instead (by corrupting/modifying Alice’s address book).  Eve would do the same to Bob.  In Alice’s address book, Eve replaces Bob’s address with her own.  In Bob’s address book, Alice replaces Alice’s address with her own. 

    Alice sends messages to Eve thinking that she is sending them to Bob, and Bob sends messages to Eve thinking that he is sending them to Alice.  Now Eve can read Alice’s messages and forward them to Bob.  Eve can also read Bob’s messages and forward them to Alice.  Neither Alice nor Bob is aware that Eve is reading their communications.

  • If the communication is encrypted and uses public key cryptography (such as Apple iMessage), a man-in-the-middle attack is more difficult.  Users encrypt messages with public keys (which they obtain from a central directory).  If Alice wants to send a message to Bob, she obtains Bob’s public key from Apple, encrypts the message, and sends it to Bob.  Bob uses his private key (which only he knows) to decrypt the message.  If Eve can intercept the message, she could perform a man-in-the-middle attack.

  • Consider how public key cryptography functions

    • Each generates a private key.  A private key can only decrypt messages, not encrypt them.  A user keeps his private key secret.

    • The user generates a public key from his private key.  He gives the public key to each person who wants to send him a message.  The public key can only encrypt a message.

    • When a sender wants to pass a message to a recipient, he looks up that recipient’s public key.  He uses the public key to encrypt the message.  The recipient receives the message and uses his private key to decrypt it.

    • With Eve in the picture, what happens?

      • Alice and Bob want to communicate

      • Eve generates her own public and private keys.

      • She hacks into the central directory and changes Bob’s public key to her own.

      • Alice decides to send a message to Bob.  She checks the directory for Bob’s public key, and receives what she thinks is Bob’s public key (but is in fact Eve’s public key)

      • Alice sends the message to Eve (thinking she is sending it to Bob)

      • Eve decrypts the message, reads it, and then encrypts it with Bob’s public key.  Eve sends the message to Bob

      • Bob receives the message, thinking it came from Alice and decrypts it with his own private key

      • Eve does the same thing with Alice’s public key so that she can intercept messages that Bob is sending to Alice

How to prevent

  • The best way to prevent a man-in-the-middle attack is to encrypt all communications with a reliable encryption algorithm (one that uses a long enough key length and is generated through open-source methods)

  • Second, ensure the integrity of the public key.  Do not trust apps with centralized “key directories” such as Apple iMessage or WhatsApp for obtaining public keys, especially for sensitive communications. 

    Apple controls all the public keys in iMessage, and Facebook controls all the public keys in WhatsApp.  There is nothing to prevent either company (or a rogue employee at either company) from acting like “Eve” without you knowing about it, and Facebook has a significant history of violating the privacy rights of its users.

    iMessage and WhatsApp are only considered secure because Apple and Facebook say so, but their applications are closed source, and you have no way to verify that this is true. 

    The best way to ensure the integrity of the public key is to personally distribute it to the person that you want to communicate with.

Dictionary Attack

A Dictionary attack uses a list of predetermined passwords and brute force to guess a user’s password.  The dictionary could consist of common words in the English language, especially common passwords such as “password”, “12345678”, and “abcd”.

A hacker could create a custom dictionary based on the user account that he is trying to hack into.  For example, the dictionary could be customized to include the names of the user’s children, pets, vehicles, etc..

Many organizations force users to choose complex passwords.  Password complexity could include

  • Not reusing the same password
  • Including upper case letters, lower case letters, numbers, and special characters
  • Ensuring that the password meets a minimum length
  • Not using a person’s name, address, or username in the password

Yet, it is still possible to create a custom dictionary based on the password complexity requirements.  For example, if the user’s password was ‘donkey’, then a complicated password might be ‘D0nkey!’.  Users tend to substitute @ for a, 0 for o, 1 for l, and so forth in a predictable manner.

A dictionary attack can be prevented by limiting the amount of password attempts a user has before his account is locked out.  Of course, the dictionary attack could occur offline, or the hacker may have a way to bypass the incorrect password attempt count.

Brute Force

A brute force attack is like a dictionary attack, except that the system attempts every password combination possible (based on the character set), starting from the letter ‘a’ and working its way up until the password is guessed.  For example, the system will guess the password ‘sdfsfgdgsdfsdfd’, and then the next password would be ‘sdfsfgdgsdfsdfe

The length of time for a brute force attack to be successful depends on the computing power available (how many passwords can be attempted every second) and the length of the password (how many passwords need to be attempted).

An online brute force attack is when the brute force occurs against a live computer.  For example, consider Active Directory, a Microsoft system that stores user accounts on a central server.  When a user attempts to log in to an Active Directory-based computer, the computer validates the login credentials with the server.  On a successful login, the computer caches the correct credentials on the local computer.  If the computer is later offline (or off the local network), the user can still log in (the computer validates the login with the cached credentials).

  • In an online attack, the hacker would brute force the computer’s login while it is connected to the Active Directory server.  This attack would likely be unsuccessful because the server would disable the account after three incorrect logins.

    • In an offline attack, the hacker would brute force the computer’s login while it is not connected to the Active Directory server.  This attack may or may not be successful depending on the length and complexity of the password.

How to prevent

  • Offline attacks can’t be prevented.  Where possible, secure equipment so that it is not stolen.  Stolen equipment is more susceptible to offline attacks. 

    When the password is stored by a TPM, an offline attack is impossible.  The password is stored by the TPM and the TPM can keep track of how many failed attempts were made.

    • Enforce stronger password requirements (including special characters, numbers, upper/lower case letters).

    • Enforce a timer that delays the entry of passwords.  This can be accomplished at the software or hardware level, by hashing the password multiple times.

    • Offline data can be encrypted with a strong algorithm that takes several seconds to validate the password.  This would be a minor inconvenience to a user entering an incorrect password but would substantially slow down a brute force attack.

Insider Threat

An insider is a person who is inside the organization.  This person may be a contractor or an employee.  We usually trust the insider but sometimes we shouldn’t. 

The insider may be motivated by

  • Financial purposes.  For example, stealing data to provide to a business competitor.

  • Political purposes.  For example, stealing government secrets to provide to a foreign country (in exchange for a financial or political reward).

  • Personal reasons.  The employee may be upset with the way that the company treats him or the way that the company conducts itself in the community.

An insider may cooperate with an attacker on the outside.  The insider may weaken security protocols at his organization and/or ignore an attack placed by an outsider.

It is difficult to detect and/or prevent attacks placed by insiders because most of their behavior may appear legitimate and because they already have access to and knowledge of the organization.

How to prevent

  • The type of security protocols required depend on the sensitivity of the information that the employee has access to

  • It is important to conduct background checks on current and future employees and on contractors

  • More serious security methods include

    • Implement security protocols including document controls that monitor when files are accessed/printed/modified

    • Search all employees when they leave the building

    • Prohibit personal electronic devices

    • Require multiple people to review security violations

    • Enforce vacations and job rotations

  • It is important to note that most of the information leaves the building through the brains of the employees, and there is currently no way to prevent people with good memories from taking information out of the organization.

Structured Query Language (SQL) Injection

Injection takes the form of SQL injection, DLL injection, XML injection, or LDAP injection.

Many websites and systems are “database driven”.  That is, the front end of the website (the code, the photos, and the videos) are static/dynamic web pages and files, but data (usernames, passwords, comments, video views, etc.) are stored in databases.  The most common database format is SQL (available in MS SQL and MySQL).

A database is like a giant Microsoft Excel spreadsheet. 

  • It consists of one or more tables.

  • Each table has a unique name

  • Each table has one or more columns

  • Each column must have a unique name and must specify the type of data that can be stored inside it (for example, text, numbers, integers, etc.)

  • Each row in a table is known as a record

  • We can speak to the database through a database language.  Each database has its own unique language.  For example, we can speak to a MySQL database through the MySQL language.  We can tell the database to create a new table, delete a table, add columns to a table, add data to a table, retrieve data from a table, search for data, etc.  There are entire books written about MySQL.

Let’s say that we have a registration form on our website.  We previously created a database table to hold all our user data.  We called this table “username_table”.  Consider a user named Bob Jones, who registers on our website by filling out a form with three fields: First Name, Last Name, and Username. 

Bob filled out the following information

•           First Name: Bob

•           Last Name: Jones

•           Username: bjones

Bob’s data goes to a script (some computer code), which generates an SQL statement as follows (this would insert the data ‘Bob’, ‘Jones’, ‘bjones’ as a new line in the table).  The semi-colon indicates the end of the line.

INSERT INTO username_table VALUES (‘Bob’, ‘Jones’, ‘bjones’);

If Bob was sneaky, he could enter ‘bjones’); DROP TABLE username_table;’  as his username.  Drop Table is a command that tells the SQL database to delete the table.

Bob wouldn’t know the exact name of the table or the format of the script (because he wouldn’t know what kind of database we are using or have access to the script), but he could make a few guesses (or he could discover the name of the table through an error message on the site).  On a side note, a database (or database server) should never talk directly to a user or be exposed to the internet – it should only communicate with the scripts on the web server.

This results in the following SQL statement (actually two statements now due to the semi colon)

INSERT INTO username_table VALUES (‘Bob’, ‘Jones’, ‘‘bjones’); DROP TABLE username_table;

The first half of the statement inserts the data into the table as normal.  But the second half (DROP TABLE username_table;) deletes the entire username table!  SQL injection attacks are easily preventable with the right code.

How to prevent

  • Use prepared statements when working with SQL.  A prepared statement is a special type of script that is designed to ignore any input except for what the database expects.

  • Sanitize the data (do not allow users to enter special characters unless necessary).  This should be enforced both on the client side and on the server side (malicious users can defeat client-side error handling).  That means that the webpage checks the data on the user’s computer, and the server checks the data again.

Why bother with client-side error handling if the server can prevent everything?  Client-side error handling enhances the user experience, for legitimate users.  Client-side error handling also reduces the load on the server.

  • Turn off verbose mode/error outputs in your code.  If there is a bug in the code, or if the application encounters an error, many web languages (such as PHP or ASP) will print the error directly in the web browser.  These errors can contain exact file directories and SQL database information, which would be exposed to all website visitors.  If an attacker sees the error, he will figure out how your website is structured.

Cross-Site Scripting

In cross-site scripting (XSS), a user includes script as part of their input in a web form or link.  There are three types

  • Non-persistent XSS attack, where the script is executed by the web server immediately and sent back to the browser.

    For example, a hacker sends a user a link to a legitimate online banking website, but the link includes some code that executes (through the website) in the user’s browser.  The script copies the user’s login credentials and sends them to the hacker.

    In another example, let’s say I have a website with a contact form.  Instead of typing in legitimate data, the hacker pastes a script into the form and submits it.  The script might convince the server to return sensitive data back to the hacker.  If the server doesn’t have good security, it executes the script and returns sensitive data to the hacker’s browser.

  • Persistent XSS attack, where the script is stored by the web server and executed against other users.

For example, a hacker posts a YouTube comment and includes some HTML and scripts (which includes links and photographs to an ecommerce site).  The HTML executes in each visitor’s web browser, and all visitors see the comment (including the links and photographs).  The script might be designed to copy data from each user that sees it and send the results to the hacker’s server.

  • DOM-based XSS attack, where the script is executed by the browser.  DOM stands for Document Object Model. 

Many websites are now being written to execute code inside the user’s browser instead of on the server.  This system helps render web pages so that they fit properly in each web browser, regardless of the screen size.  This system may require the browser to download additional data in the background after the page has loaded.

If we modify the browser environment in a certain way, we can cause the website to behave unexpectedly.

  • The hacker can send the victim a URL to a legitimate DOM page but include a script inside the URL. 

    • The script tells the browser to download content from the hacker’s server.

    • The web page loads like normal and then begins to download the malicious content from the hacker’s server in the background.

How to prevent

  • Use proper input validation in web forms both on the web browser side and on the server side

  • Remove or filter all script characters from web forms, including “<”, “;”, and “|”

  • Use anti-XSS libraries such as ANTIXSS

  • Use Content Security Policy in the website

  • Use an HTML escape string when using JavaScript to execute HTML.  This will prevent the JavaScript from recognizing any code that is later inserted into the HTML space.


A vulnerability is a problem that an attacker can exploit.  We can’t identify every vulnerability, but we can focus on the most common ones.

  • Non-Compliant Systems.  A non-compliant system is one that does not comply with our security standards.  We can use a tool to identify non-compliant systems and disable their network access until they become compliant.  Non-compliant systems that cannot be made compliant but that are critical to the organization, should be placed behind a firewall or air gapped.

  • Unpatched Systems.  An unpatched system is one that is missing security updates.  We can use a tool to detect missing patches and apply them automatically.

  • Unprotected Systems (Missing Antivirus / Missing Firewall).  A system that is missing a firewall or antivirus program poses a serious security risk.  We can use a tool to detect missing antivirus programs and reinstall them automatically.

  • EOL OSs.  An End-of-Life Operating system is one that is no longer supported by the manufacturer.  Security updates are no longer available.  We should upgrade any device with an EOL Operating System.

  • Bring Your Own Device (BYOD).  BYOD allows users to bring their own devices to work and use them on the corporate network.  If an organization allows BYOD, it must ensure that all user devices comply with its security standards.  This includes

    • Encrypting all corporate data

    • Separating personal data from corporate data

    • Enforcing minimum password complexity and two-factor authentication

    • Ability to remotely wipe the device