Introduction to Preventing Data Exfiltration via Web Attacks

By PLURA

🧑‍💻 The Ultimate Goal of Hacking: Data Exfiltration

Customer records, personal information, or a company’s critical assets are typically the prime targets of cyberattacks. Attackers pursue data exfiltration because it can be monetized. On the victim’s side, the consequences are significant: financial loss, tarnished corporate image, fines, class-action lawsuits, and possibly criminal charges, depending on the circumstances.

web_data_Loss_Prevention


🛡️ How Can We Detect Data Exfiltration?

Data Loss Prevention (DLP) refers to measures that prevent the unauthorized disclosure of internal information. It is commonly abbreviated to DLP.

  1. DLP software typically records and controls data that may leak through various channels such as instant messengers, webmail, cloud storage, printers, or USB drives.
  2. Beyond proactive measures, DLP logs can be used after an incident to identify the leaker, trace the exfiltration path, etc.
  3. While external hacking is often blamed for data breaches, insiders account for 81.4% of data leaks (Source: Gartner, 2020).
  4. DLP aims to block, monitor, and record both insider-related leaks and
  5. Unprivileged external access to PCs or servers resulting in data theft.
  6. Technologies that prevent data leakage at the endpoint (PCs, servers) are called Endpoint DLP.
  7. Solutions that regulate exfiltration at the network boundary are Network DLP (NDLP).
  8. Global research firm Gartner describes “Enterprise DLP” as solutions controlling both endpoint and network channels.

DLP products are generally expected to address not only insider threats but also external attackers attempting data exfiltration.


🌐 How Do Hackers Exfiltrate Data via the Web?

The web is a powerful yet distinctive system:

  1. It collects customer information for storage.
  2. It allows users to update existing data at any time.
  3. Highly sensitive personal data—like resident registration numbers, driver’s license numbers, and credit card details—are frequently processed online.
  4. Call center staff and internal administrators handle large volumes of customer data through web interfaces.

Even if data is strongly encrypted in transit (using TLS 1.3) or stored with robust encryption schemes in databases, the end user sees it in plain text—which is by design and typically not considered a problem.

However, this characteristic of web applications can present challenges for DLP solutions. Which product can effectively detect data exfiltration in such a dynamic environment? Unfortunately, it’s notoriously difficult.


💡 A Practical Alternative: Analyzing the Response Body

Another effective strategy is monitoring the web response body (Resp-Body) to detect possible exfiltration in real time.

If we step back to the core principle: data is exfiltrated from the server upon a browser’s request. Therefore, by analyzing exactly what data is being returned, one can theoretically identify leaks accurately.

The following video demonstrates a SQL injection attack using sqlmap to exfiltrate sensitive information, focusing on:

  • 1) Database
  • 2) Table names

Without an insider’s assistance, this is the starting point for many SQL injection attackers.