Cisco Blogs

Drive By Web Exploits

June 30, 2011 - 4 Comments

One of the key tools in the cybercrime toolbox is the drive by web exploit. Simply put, a drive by exploit is when a website is somehow violated such that it later causes the download of software, often from a different server and typically malicious in nature, without the knowledge of the end user. This software may be later used for a variety of things. It may be a key logger, recording keystrokes to capture things like passwords and credit card data, it could be a botnet client, turning the victim PC into a zombie used for spam, DDoS or even Bitcoin Mining. Regardless, the fundamentals remain the same. Do something bad to a website and then that website causes a silent install of malware on visitor machines.

One of the more common ways to do this is to use a SQL Injection attack, which despite being one of the older and better understood forms of attack is also one of the more prevalent and dangerous. Generally speaking, many websites and web applications have an architecture with a web server front end with a database back end. Many web developers are under time and resource constraints and may have limited security exposure or knowledge. Thus certain security practices, such as strict input validation, may not be done properly. This opens up the door to the attacker doing things like sending SQL commands in the form of HTTP requests that are passed to the web server, which then passes arguments back to the database server. If you provide input of the sort that the developer expects, the site behaves normally. However, with some practice and knowledge of how these systems work, you may be able to inject SQL commands into HTTP requests, which are then passed on to the database server.

Web pages are often composed of parts that are stored in the database. If you can touch the database, you may be able to impact what is displayed. The simplest manifestation would be to vandalize the server in an obvious way, like an inner city graffiti artist tagging a wall. A more subtle attack would be to leave the site visibly intact but include some code that would cause the user machine to silently download and install malware. There are a variety of ways that this can be done, exploiting zero-day and other flaws in operating systems, browsers and browser plugins, or helper applications like Flash or PDF Reader.

Our video, the second in the SecureX Files series from Cisco Security Intelligence Operations (SIO), is about Drive By exploits.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. How can your everyday user protect himself or herself from such attacks.

    • Sean, some of the best ways include keeping both OS and brower plugins/helper apps such as Adobe Acrobat Reader and Flash Player fully updated and patched,

  2. Thanks for this information and the clarity of addressing this. We manage many medical websites for doctors. Many come to us in a panic because their website had been taken offline by Google’s index. This is good for the visiting machines but shuts down a significant source of new business for our clients.

    The cause and remedy almost always has to do with either poor ftp passwords or the use of poorly configured open source website cms systems like Joomla; etc.

    Thanks again!

  3. Thank you for this log, and for the video. As an owner of several websites, I am encouraged to know that companies like yours wish to get this information out to the public in a fashion that gives us the tools to protect ourselves.