CIS Logo
tagline: Confidence in the Connected World

EI-ISAC Cybersecurity Spotlight – Web Attacks

What it is

A web attack targets vulnerabilities in websites to gain unauthorized access, obtain confidential information, introduce malicious content, or alter the website’s content. Websites provide attackers multiple potential attack surfaces through components like web applications, content management systems, web servers, or the underlying code of the website. A web application is a function which allows a user to interact with software via the web browser, such as filling out fields on a voter registration website. A content management system (CMS) is a software application used to manage, create, and modify website content, such as the pictures, text, or layout. A web server is the backend hardware and software that stores the information associated with a website and provides website data to users. Three common web attacks are Structured Query Language injection (SQLi), cross-site scripting (XSS), and file upload attacks.

  • SQLi attacks attempt to input custom Structured Query Language (SQL) commands into website fields, such as username and password fields, to gain unauthorized access to the information stored in the backend database.
  • XSS attacks attempt to insert and execute unauthorized code into a web application. These attacks are used to display unauthorized images or text, hijack session details to impersonate other users, or provide the attacker unauthorized access to confidential information.
  • File upload attacks exploit the ability to post information to a website to upload malicious files. This attack could result in website defacements or the compromise of a website to conduct additional malicious activity.

 Why does it matter

A successful web attack can affect the confidentiality, integrity, and availability of election data and web services. Even if the attack is identified, blocked, and remediated, or inconsequential, the event could impact voters’ perception of election security. Ultimately, any successful compromise or perceived compromise of election data, web services, or web servers would raise public concerns about the election.

SQLi attacks against an improperly secured voter registration database could provide a cyber threat actor with unauthorized access to voter information, which could then be released in a database dump. Additionally, a SQLi attack against a voter registration database that alters or deletes the stored information could cause confusion when a voter attempts to vote at their polling place and is not in the pollbook or is misidentified.

XSS attacks against a remotely accessible statewide election system may allow an attacker to impersonate a local election official. The cyber threat actor would potentially have access to any of the capabilities available to the compromised user. Any changes made as a result of access gained by the cyber threat actor in this way could appear legitimate and not be identified by the security mitigations an election office has in place.

File upload attacks that install backdoor software may allow a cyber threat actor to utilize your web server for additional malicious purposes. Compromised systems are often used as bots to conduct attacks against other targets, such as denial of service attacks and phishing. They may also attempt to utilize the compromised systems for resource-intensive activity, like cryptocurrency mining. Lastly, depending on the segmentation in your network, a cyber threat actor could exploit the foothold they’ve established to identify other vulnerable systems on your network and move laterally to access more sensitive systems.

Each of these attacks may also result in website defacements which change a website’s visual appearance by altering or adding text, pictures, music, or other content, which is the digital equivalent of drawing graffiti on a wall. A website defacement promoting a specific candidate might be perceived by the public to be unfair, despite an election office’s neutrality. Cyber threat actors could also change the unofficial election results posted on election night, creating uncertainty for voters.

What you can do

Election offices should seek to proactively secure any Internet-facing websites, their corresponding web servers, and any underlying databases to lower the chance of a successful web attack. They should also identify any internal web servers and ensure they are properly segmented and inaccessible from the Internet. Consider running web application vulnerability scans focused on identifying and remediating common web attack vulnerabilities and patch any out-of-date software, especially CMS. If a website is hosted by a third party, establish a relationship with your hosting provider and have their contact information readily accessible (offline) in case of a compromise. Election offices should ensure that their hosting providers also conduct regular vulnerability scans and update their hosted website to address vulnerabilities.

Ideally, election offices should ensure that any form fields do not allow users to input SQL commands and any file upload capabilities limit the types of files a user can post. For instance, if an image is expected, the website should only accept image files, while if a text document is expected, the website should only accept text files. Additionally, web applications should respond to failed SQLi attacks with generic error messages, as cyber threat actors can gain valuable information from detailed messages to refine their attempted attacks.

The EI-ISAC and its partners provide several services for state and local election offices to improve their website’s security and performance. EI-ISAC’s Vulnerability Management Program will analyze your web server, web programing language, and CMS to determine if they are appropriately patched. The EI-ISAC also sends out threat notifications to its members about specific cyber threats, such as website defacements, SQLi, and XSS vulnerabilities identified by trusted third parties. A list of all available resources can be found on the EI-ISAC services webpage.