There are many ways in which a website can attack your computer. Two of the most dangerous and widespread examples are:
The ‘Drive-by-Download’ Attack: The ‘drive-by-download’ attacks occur when a visitor navigates to a site that injects malware onto the victim’s PC. Crucially, these attacks are usually downloaded and run in the background in a manner that is invisible to the user – and without them taking any ‘action steps’ to initiate the attack ( for example, erroneously downloading a file that later transpires to be malware). Just the act of viewing a web-page that harbors this malicious code is enough for the attack to run. The downloaded malware often initiate a buffer-overflow attack.
Buffer-overflow attack occurs when the downloaded malicious program or script deliberately sends more data to a target applications memory buffer than the buffer can handle – which can be exploited to create a back door to the system though which a hacker can gain access. The goal of most attacks is to install malware onto the compromised PC whereby the hacker can reformat the hard drive, steal sensitive user information, or even install programs that transform the machine into a Zombie PC.
There are many types of buffer overflow attack, including stack attacks, heap attacks and ret2libc attacks. In each case, the goal is to destabilize or crash a computer system by deliberately causing a buffer overflow – creating the opportunity for the hacker to run malicious code and even gain control of the entire operating system. As would be expected, the applications most vulnerable to a buffer overflow attacks are those whose primary function involves Internet connectivity – such as web-browsers, e-mail clients and instant messaging applications.
Cross Site Scripting Attack: The Cross Site Scripting (XSS) attack is initiated by malicious attackers injecting client-side script into web-pages accessed by unsuspecting users. The injected scripts enable the attacker to steal sensitive page content, session cookies, and a variety of other information maintained by the browser on user’s computer. There are two types of XSS attacks:
Non Persistent: The malicious script, passed by the attacker e.g. through the HTML forms, can place hidden frames or deceptive links on unrelated sites in the web content of the legitimate serve. This can cause victims’ browsers to navigate to a malicious site automatically – often completely in the background. In such a case, the attacker can intrude into the security context and steal them from the victim’s browser.
Persistent: The malicious script, passed by the attacker e.g. through the HTML forms, is saved in the server and displayed permanently in the normal pages rendered to the visitors. This enables the attackers to hijack the transactions through the legitimate server and can steal sensitive information like authentication passwords, credit card numbers, billing information etc.