Attackers have persistently utilised different attack vectors and methods to target websites and web applications throughout the past years. Web applications vulnerability can negatively affect businesses which could burden their time, money and reputation.
Common web application attacks
In reference to Trustwave Global Security Report, there are five basic web application attack techniques that are used consistently by attackers.
- Cross-Site Scripting
- SQL Injection
- Path Traversal
- Local File Inclusion
- Distributed Denial of service
Cross-Site Scripting (XSS)
As one of the most overlooked web application attacks, XSS attacks occur when attackers input a malicious script into a web application or a user's browser. XSS payload contains payload scripts that could capture, alter, fingerprint or browse for data.
For example, an attacker can use XSS attacks to redirect web page of a website application to a scam site. There have been many websites vulnerable to XSS including the Telegraph, McDonalds and Network Computing.
To mitigate against XSS attacks, it is recommended to validate inputs and sanitize user input.
SQL Injection (SQLi)
SQL injection attack is when an attacker inputs a malicious SQL query into a web application database query. SQLmap is an open source pen testing tool that can automate the process of exploiting vulnerable web apps. A successful SQL injection could allow an attacker to gain unauthorized access to the compromised database that contains sensitive data and to bypass application security mechanisms.
For example, an attacker can add, modify, and delete records in the compromised database. There have been many companies vulnerable to SQLi which has had severe effects on companies, including the top three open source content management systems: WorldPress, Drupal and Joomla.
To mitigate against SQL injection attacks, it is recommended to make database errors invisible to users in web pages and web applications.
Path Traversal
Path Traversal attack attempts to gain unauthorized access to files or directories which are placed outside of the root folder. This is achieved by inputting patterns such as “../” in the URL path.
A successful path-traversal could allow an attacker to improperly access site or user credentials, configuration files, databases or other sites co-located on the same physical machine. There have been numerous websites in which root folders have been manipulated to gain top access to local files, upload arbitrary files and perform XSS attacks.
Path traversal attack can be avoided by input validation.
Local File Inclusion (LFI)
LFI attack is when an attacker uses directory traversal to trigger a web application to execute a file residing on the server. Similar to SQLmap, Fimap is a python script that automates the process of exploiting local and remote file inclusion in web application.
The impact of exploiting a LFI vulnerability vary from full disclosure of information to a complete compromise of a system. Even in cases where the included code is not executed, it can still give an attacker valuable information, such as system version, to be able to compromise a system. There have been several cases of websites vulnerable to LFI including Eyes on Main, Winners Pizza and Oregon Airsoft.
It is recommended to whitelist input validation and use prepared statements with parameterized queries.
Distributed Denial of Service (DDoS)
A DDoS attack uses multiple compromised systems, through command and control botnets, to target a server with a huge amount of traffic to the point their services and infrastructure are unable to handle it. The purpose of a DDoS attack is to render availability.
In 2016, Mirai malware that turns networked devices running Linux into remotely controlled "bots", caused a DDoS attack on the Krebs on Security website which reached 620 Gbit/s. The result of this DDoS attack caused the security blog website to be offline for four days.
It is recommended to use a Web Application Firewall (WAF) to monitor network and block potential attacks.
Conclusion
There are various defensive methods that exist for each specific attack. The best practices that can be used to protect your applications and users include: code reviews to help spot vulnerable code early in the development phase and bug bounty programs to enable professional pen testers to find bugs in the website. Even with these best practices in place, you may still find yourself at risk.
QA specialises in an array of cyber offensive-defensive training courses that covers these web application attack in a ‘learn-by-doing’ approach. Our Cyber Defender and Capture The Flag Event allows delegates to see what it’s like to man a Security Operation Center (SOC), how to defend and attack, in a safe and controlled environment.
James Aguilan
More articles by James
The Air-Gap Dilemma
QA Cyber Security Specialist, James Aguilan, looks at the methods through which air-gapped systems can be compromised.
26 March 2019Safeguarding your Digital Footprint
QA Cyber Security Trainer, James Aguilan, shares 6 tips that can help you safeguard your digital footprint.
05 March 2018Phishing Campaigns: Defending organisations against phishing
QA Cyber Security Trainer, James Aguilan, argues that understanding how to defend against phishing is of paramount importance for the confidentiality and integrity o…
15 February 2018Most common ways for thieves to steal your cryptocurrency
QA Cyber Security Trainer, James Aguilan, looks at how cybercriminals can steal your coins.
19 July 2018Is Mr Robot a good representation of real-life hacking and hacking culture?
QA Cybersecurity trainer James Aguilan looks at several scenarios featured in the hit US TV series Mr Robot – and how they may represent real-life hacking.
19 February 2018How to build an effective cyber defence against polymorphic malware
QA Cyber Security Trainer, James Aguilan, lists three key areas where security efforts should be focussed to counter polymorphic malware.
11 October 2018How do organisations demonstrate accountability for GDPR compliance?
QA Cyber Security Trainer, James Aguilan, outlines steps towards demonstrating compliance with the GDPR.
20 March 2018Cyber criminals can exploit flaws in online security and all new appliances
QA Cyber Security Trainer, James Aguilan, looks at how internet-enabled devices such as fridges, doorbells and TVs are leaving consumers exposed to hackers.
22 May 2018Cryptocurrency Mining: Does the reward outweigh the cost?
QA Cyber Security Trainer, James Aguilan, looks at the practice of mining cryptocurrency.
27 March 2018Cryptocurrency in traditional crimes
QA Cyber Security Trainer, James Aguilan, looks at how cryptocurrency is used in crimes such as drug trafficking, money laundering and fraud.
25 July 2018