Did you know your website was attacked?

Did you know your web application was attacked?

Tim Collingwood
July 26, 2018

If you have a web application it’s highly likely that at some point somebody will have tried to hack it. Whether a hacker has simply attempted to login with a made-up username and password or tried an advanced Cross Site Scripting (XSS) attack, an attack on your site occurred. The question is, did you even know about it?

Many web applications are built to handle these types of attacks or malicious behaviour (it would be crazy not to). Some organisations will learn from attacks and use it to strengthen their defences, but many applications will simply handle the attack silently giving the owner a false sense that nobody has attempted to attack their site.

If an attack remains undetected, over time attackers will be able to learn more and more about your application, finding out the thresholds of the defences you do have in place. All the while they are doing this they are profiling your site to work out the best way to gain access. If you are not proactive then you may one day be faced with the immediate reality that your application has been compromised.

The problem is that if you don’t know an attempted attack took place, how can you learn from it and make your defences stronger for the future. By building a defensive layer into an application you can detect (and alert) yourself to attacks. This will then provide information on the types of attacks taking place and help to mitigate these in the future.


Detection

The first step of continually improving your application’s security is detection. You need something in place to monitor specific activity on your application then alert you if something untoward is detected.

There are a number of ways you could do this, but it may be as simple as logging the IP address of failed login attempts. If the application detects a number of failed login attempts from the same IP over a set period of time then an alert could be triggered.
Honeytraps can also be set in your application. A honeytrap works by luring an attacker into making a change that has no effect on the application itself and is only likely to occur if a user is behaving maliciously.

A simple example of a honeytrap is to use a hidden field with a pre-set value. Being a hidden field, it wouldn’t display to a user unless they look at the source of the web page. If for any reason the value of the field was changed (which it wouldn’t unless being done so by an attacker), this will trigger an alert to indicate that somebody is poking around with your application.

A simple example of a hidden field is:

<input type="hidden" name="isAdmin" value="false" />

The server would expect this field to return a value of ‘false’, but if it detected anything other than this an alert would be triggered.


Protection

Because you are detecting and alerting yourself to an attacker’s behaviour you can take immediate action to stop them. This might simply be by blocking an IP address, or if they are logged into your website, you could block their account.

You can also use this information to build stronger defences into your application. For example, you could build in mechanisms to automatically block specific visitors/IP addresses based on this kind of behaviour thus making it even harder for an attacker to feel their way around your application in the future.

Over time you will start to see patterns of behaviour and the kind of attacks that people will undertake. This information can be used to build more secure systems in the future, or to identify areas of your application where investment might be needed e.g. implementation of two-factor authentication.

 

It’s easy to think of this approach in the physical world. For example, a burglar is more likely to break into a house where the window has been left open. If you were aware that somebody had been measuring your open window to see if they could get in, you would probably close the window and lock it. If you did that the burglar will most likely go elsewhere.

With attacks becoming more and more sophisticated it’s important that you don’t make it easy for somebody who wants to hack your application. If you can learn from attacks and bolster your defences then the majority of attackers will simply move on to another site where it’s much easier.