The modern information age has shifted almost every physical business to an online platform. To do so, one of the most popular ways is to have a web application for your business. The primary reason behind this popularity is that the internet serves as an inexpensive, easiest, and the fastest medium to communicate and share information. But this convenient way tags along with a number of serious cyber threats. As per Akamai’s State of the Internet Q4 2017 report, there has been a 10 percent increase in total web application attacks when compared with its Q4 2016 report.  Even Verizon’s DBIR data backs up Akamai’s claim in its 2016 and 2017 report which states, web application attacks were the most common pattern behind actual security breaches. From past several years, it has been noticed that web application attacks are potential or noisy with an attack to breach ratio, 100k to 1. This is because malicious hackers have now shifted to automation for finding the weak spots in your web applications. 
What is Web Application?
To understand the web application attacks, it would be better to take a closer look at its basic workflow. Web applications can be dynamic and static in nature, which decides whether a web application require server-side processing or not. Generally, a web application requires a web server for handling client requests, an application server to process the tasks commanded by the user, and a database to store the user data. The flow of a web application looks like –
Most Common Web App Attacks and Defending Solutions
Security Report for In-Production Web Applications Q2 2018 lists five common web application attacks,  which are –
1. Cross-Site Scripting (XSS)
XSS vulnerabilities can be avoided in three significant ways –
- Escaping User Inputs
- Input Validation
Input validation ensures that your web application is providing trusted data and keeping away untrusted or malicious data from harming your database, web application, or end user’s personal data. Whitelisting is usually associated with the SQL injection but allowing good characters can prevent XSS attacks too. You must have seen trusted websites disallowing you to enter special characters in the text fields; it is one of the motives of input validation to prevent the web application from XSS attacks.
- Sanitizing User Input
Data sanitization is the modification of input data to make sure that it is valid. It can be done by enclosing the received data in double quotes. This method is useful for web applications using HTML markup. By changing an invalid data to a valid form confirms that the received data won’t harm your web application or database.
All these three methods won’t be enough if implied on a standalone basis. But when implemented altogether, they can totally provide a defensive force to combat against XSS attacks.
2. SQL Injection (SQLi)
Under this web application attack, hackers inject malicious SQL commands into the entry fields to be executed in the backend database. This is particularly found in data-driven applications. SQL injections can be easily slipped into a web application if there are any loopholes in the software execution. With this kind of web application attack, perpetrators can alter or delete existing data and create false identities like becoming an impostor administrator of the database.
The basic solution to this web application attack is that all the input fields (such as text fields, comment boxes, etc.) of a web application should be double-checked. And, to filter out non-validated SQL statements from the genuine network traffic, you can integrate a web application firewall in your security system.
3. Automated Threats
An automated threat is a computer security threat in the form of software which is engineered in a way to perform a heavy amount of repetitive task. This is done by automation tools such as internet bots.
It is easy to differentiate between user entered data and automated data. The real-time bot detection technology can help you to eliminate automated threats to a great extent. Account aggregation, carding, scraping, Denial-of-Service (DoS) are few automated threats.
4. File Path Traversal
File path traversal is also known as directory traversal or backtracking. The primary objective of this web application attack is to access files and directories which are not placed under the ‘root directory’. Hackers access arbitrary files and directories by manipulating file variables (such as using dot-dot-slash, ../).
This web application attack can be avoided by input validation. Implementing required filters in your web application can eliminate the chances of hackers getting hold of arbitrary files and folders. Plus, upgraded web server software or any patching software can keep your web application protected from file path traversal attack.
5. Command Injection (CMDi)
Command injection is more likely to occur in a web application with possible vulnerabilities. Under this attack, notorious hackers inject operating system commands acting as pseudo system shell, which will then be executed through a web application. With the help of this attack, a hacker can use its pseudo system shell as an authorized user to gain access to critical data. This can occur due to a lack of proper input validation system.
Whitelist validation will help you to avoid command injection. And the most efficient way is to avoid “exec” out to the operating system if it is not required.
Learn Application Security with Us
This is just a glimpse of web application security. If you have a keen interest and passion for acquiring real-time concepts and skills of an application security engineer, then join our Certified Application Security Engineer (C|ASE) program. You’ll have the option to develop your technical skills to learn web application defense, application design and architecture, input validation, cryptography, and a lot more either in .NET or in Java.
Sources: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-of-the-internet-security-report.pdf  https://info.tcell.io/hubfs/DemandGen_Content/Research%20Papers/tCell_wp-stateofsecurity-2018-web.pdf  http://www.extropia.com/tutorials/devenv/intro_to_app_dev.html