What is a Website Vulnerability and How Can it be Exploited?

Websites experience 22 attacks per day on average— that’s over 8,000 attacks per year, according to SiteLock data. A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the hosting server. Most vulnerabilities are exploited through automated means, such as vulnerability scanners and botnets. Cybercriminals write specialized tools that scour the internet for certain platforms, like WordPress or Joomla, looking for common and publicized vulnerabilities. Once found, these vulnerabilities are then exploited to steal data, distribute malicious content, or inject defacement and spam content into the vulnerable site.

Types Of Vulnerabilities

There are five common types of website vulnerabilities that are frequently exploited by attackers. While this isn’t an exhaustive list of all the possible vulnerabilities a determined attacker may find in an application, it does include some of the most common vulnerabilities websites contain today.

SQL Injection Vulnerabilities (SQLi) – SQL injection vulnerabilities refer to areas in website code where direct user input is passed to a database. Bad actors utilize these forms to inject malicious code, sometimes called payloads, into a website’s database. This allows the cybercriminal to access the website in a variety of ways, including:

  • Injecting malicious/spam posts into a site
  • Stealing customer information
  • Bypassing authentication to gain full control of the website

Due to its versatility, SQL injection is one of the most commonly exploited vulnerabilities. It is frequently used to gain access to open source content management system (CMS) applications, such as Joomla!, WordPress and Drupal. SQL injection attacks, for example, have even been linked to a breach of the U.S. Election Assistance Commission and a popular video game forum for Grand Theft Auto, resulting in exposed user credentials.

Cross-Site Scripting (XSS) – Cross-site scripting occurs when attackers inject scripts through un-sanitized user input or other fields on a website to execute code on the site. Cross-site scripting is used to target visitors to a website, rather than the website or server itself. This often means attackers are injecting JavaScript on the website, in which the script is then executed in the visitor’s browser. Browsers are unable to discern whether or not the script is intended to be part of the website, resulting in malicious actions, including:

  • Session hijacking
  • Spam content being distributed to unsuspecting visitors
  • Stealing session data

Some of the largest scale attacks against WordPress have been from cross site-scripting vulnerabilities. However, XSS is not limited only to open source applications. Recently, a cross-site scripting vulnerability was found in gaming giant Steam’s system that potentially exposed login credentials to attackers.

Command Injection – Command injection vulnerabilities allow attackers to pass and execute code on the website’s hosting server remotely. This is done when user input that is passed to the server, such as header information, is not properly validated, allowing attackers to include shell commands with the user information. Command injection attacks are particularly critical because they can allow bad actors to initiate the following:

  • Hijack an entire site
  • Hijack an entire hosting server
  • Utilize the hijacked server in botnet attacks

One of the most dangerous and widespread command injection vulnerabilities was the Shellshock vulnerability that impacted most Linux distributions.

File Inclusion (LFI/RFI) – Remote file inclusion (RFI) attacks use the include functions in server-side web application languages like PHP to execute code from a remotely stored file. Attackers host malicious files and then take advantage of improperly sanitized user input to inject or modify an include function into the victim site’s PHP code. This inclusion can then be used to initiative the following:

  • Deliver malicious payloads that can be used to include attack and phishing pages in a visitors’ browsers
  • Include malicious shell files on publicly available websites
  • Take control of a website admin panel or host server

Local File Inclusion (LFI), like remote file inclusion, can occur when user input is able to modify the full or absolute path to included files. Attackers can then use this vector to gain, read or write access to sensitive local files— for example, configuration files containing database credentials. The attacker could also perform a directory traversal attack, amending an included file path to review the back end and host server files, exposing sensitive data. A local file inclusion attack has to potential to become a remote file inclusion attack if, for example, the attacker is able to include log files that were previously seeded with malicious code by the attacker through public interaction.

These types of vulnerabilities are frequently used to launch other attacks, such as DDoS and cross-site scripting attacks. They have also been used to expose and steal sensitive financial information, such as when Starbucks fell victim to an inclusion attack leading to a compromise of customer credit card data.

Cross-Site Request Forgery (CSRF)Cross-site request forgery attacks are less common, but can be quite jeopardous. CSRF attacks trick site users or administrators to unknowingly perform malicious actions for the attacker. As a result, attackers may be able to take the following actions using valid user input:

  • Change order values and product prices
  • Transfer funds from one account to another
  • Change user passwords to hijack accounts

These types of attacks are particularly vexing for ecommerce and banking sites where attackers can gain access to sensitive financial information. A CSRF attack was recently used to seize all control of a Brazilian bank’s DNS settings for over five hours.

Mitigating and Preventing Vulnerabilities

There are easy steps you can take to mitigate and prevent vulnerabilities from allowing hackers to gain unauthorized access to your website.

Update your applications – The first critical step in securing your website is to ensure all applications and their associated plugins are up to date. Vendors frequently release imperative security patches for their applications and it is important to perform these updates in a timely manner. Malicious actors stay in the loop on open source application news, and are known to use update notices as a blueprint for finding vulnerable websites. Subscribing to automatic application updates and email notifications on critical patches will help you stay one step ahead of the attackers. For more information, check out our article, How to Secure Your Open Source Application.

Use a Web Application Firewall (WAF)Web application firewalls are the first line of defense against those probing your website for vulnerabilities. Web application firewalls filter out bad traffic from ever accessing your website. This includes blocking bots, known spam or attack IP addresses, automated scanners, and attack based user input. For more information, check out our article Web Application Firewalls and Content Delivery Network – A Double Whammy For Hackers.

Use a malware scanner – Your last line of defense is the use of a reputable automated malware scanner. It is recommended you find one that can automatically identify and vulnerabilities and remove known malware. To learn more about how automated scanners work, check out our video, How SiteLock SMART Works.

More advanced programmers may opt to manually review their code and implement PHP filters to sanitize user input. This includes methodologies such as limiting image upload forms to only .jpg or .gif files, and whitelisting form submissions to only allow expected input.

Understanding the types of vulnerabilities that hackers may attempt to use to exploit your web applications is an important first step to securing your website. Vulnerabilities can have dire consequences for not only your website and server, but for your customers’ data as well.

Check back the SiteLock blog each week for more website security tips and information.

SiteLock Video

How SiteLock Works With Your Hosting Provider [Video]

At SiteLock, we partner with the largest hosting providers around the world to secure more than 6 million websites. In speaking with all of our customers, we often get asked, “What is the difference between the security provided by my host vs. the security provided by SiteLock?”

It’s important to understand that your website isn’t entirely protected by your hosting provider, and despite being hosted in a secure server environment, your website is still at risk of cyberthreats without the proper website security.

Read More


SiteLock TrueShield Updates on May 1st, 2017

SiteLock is expanding the network behind our web application firewall, TrueShield, and our content delivery network, TrueSpeed. To accommodate our growing customer base, we’re adding over 130,000 new unique IP addresses on May 1st, 2017. This will require some customers to make changes to their firewall or web server configuration to ensure our new servers are compatible with your website’s hosting server. If these changes are not made by May 1st, 2017, your site visitors may be restricted from accessing your website.

Read More

sitelock ecommerce blog

SiteLock President, Neill Feather, To Join eCommerce Panel at HostingCon 2017!

Each year we mark our calendars in anticipation for HostingCon, a global event for the cloud and service provider ecosystem. Taking place in Los Angeles, CA from April 3-6, 2017, HostingCon 2017 is the only event in North America designed completely to serve the good of the cloud and service provider industry.

This will be SiteLock’s ninth year attending HostingCon, and yet another year as a sponsor. As one of the industry’s most recognized event, we look forward to HostingCon because it provides the perfect platform to strengthen existing relationships while establishing new business opportunities within the hosting community.

This year is especially exciting for us because SiteLock President, Neill Feather, is participating in an eCommerce panel entitled, Trends in eCommerce 2017: Delivery Functionality and Success. The session will discuss how website owners can drive success amid today’s ever-evolving cyberthreats.

Featuring a panel of distinguished experts, the session will also address the latest eCommerce trends, including security, payment innovation, web apps, and customer churn. The panel discussion takes place Wednesday, April 5th from 2:30pm to 3:30pm, and is sure to be a conversation attendees won’t want to miss.

Click here for more information about the Trends in eCommerce 2017: Delivery Functionality and Success panel.

Law Firm Cyberattack

SiteLock Delivers Message of Website Security to 2017 ABA Tech Show

The SiteLock team is back in Scottsdale after attending the 31st annual ABA Tech Show in Chicago, IL. We spent our time discussing the importance of website security with hundreds of law professionals and provided insight to the common security risks law firms face today.

We were lucky enough to be a Gold Level partner at the 3-day event in the “Windy City,” which kicked off Wednesday, March 15th, and wrapped up Saturday, March 20th, 2017.

Read More


SiteLock Recognized in the 2017 Gartner Magic Quadrant for Application Security Testing

We are excited to share that SiteLock has been named to the 2017 Gartner Magic Quadrant for Application Security Testing for the second year in a row! Designed to analyze and test applications for security vulnerabilities, application security testing (AST) is growing faster than any other security market, according to Gartner.

Read More

Web developer blog

Fake Joomla! Plugin Keyscaptcha Still in the Wild

A favorite, and particularly sneaky, way to inject malicious content into popular CMS platforms is through fake extensions and plugins. Fake plugins disguise their malicious intent by mimicking the form and function of legitimate plugins. We will discuss a not-so-well-known fake Joomla! extension, what it does, and what you can do to protect your site from such attacks.

Read More

iot vulnerability

WikiLeaks Reinforces Vulnerability of Internet Connected Devices

A series of internal CIA documents released Tuesday by WikiLeaks serve as a reminder that any computer, smartphone or other device connected to the internet is vulnerable to compromise.

The 8,761 documents detail a CIA hacking program with 5,000 registered users that produced more than a thousand hacking systems, Trojans, viruses, and other “weaponized” malware. The scale of the program was so massive that by 2016, its hackers had utilized more code than what is currently used to run Facebook.

Read More

SiteLock | Best of Cool Award

SiteLock Earns “Best of Cool” Award by BestCompaniesAZ!

We are excited to announce that SiteLock has been named one of the 2017 100 Best Companies in Arizona by BestCompaniesAZ! Even more exciting, we’ve been recognized in the category “Best of Cool,” which honors Arizona’s top organizations that create strong, unique corporate cultures and promote creativity and innovation.

We are lucky to have an excellent team of dedicated individuals who work hard to support the growth and success of our company. Our open working environment offers lots of transparency and employee freedom to share ideas and challenge the status quo. We operate under a true open-door policy and try our best to ensure our employees enjoy coming to work each day.

Read More


SiteLock INFINITY Announced as a Finalist for the 2017 Cybersecurity Excellence Awards

We’re excited to announce that SiteLock INFINITY was recently recognized as a finalist in the  Cybersecurity Excellence Awards in the Anti-Malware category! The Cybersecurity Excellence Awards recognize companies, products and individuals that demonstrate excellence, innovation and leadership in information security.

Read More

Page 1 of 26

Powered by WordPress & Theme by Anders Norén