by James Aguilan

Attackers have persistently utilised different attack vectors and methods to target websites and web applications throughout the past years. Web applications vulnerability can negatively affect businesses which could burden their time, money and reputation.

Common web application attacks

In reference to Trustwave Global Security Report, there are five basic web application attack techniques that are used consistently by attackers.

  1. Cross-Site Scripting
  2. SQL Injection
  3. Path Traversal
  4. Local File Inclusion
  5. Distributed Denial of service

Cross-Site Scripting (XSS)

As one of the most overlooked web application attacks, XSS attacks occur when attackers input a malicious script into a web application or a user's browser. XSS payload contains payload scripts that could capture, alter, fingerprint or browse for data.

For example, an attacker can use XSS attacks to redirect web page of a website application to a scam site. There have been many websites vulnerable to XSS including the Telegraph, McDonalds and Network Computing.

To mitigate against XSS attacks, it is recommended to validate inputs and sanitize user input.

SQL Injection (SQLi)

SQL injection attack is when an attacker inputs a malicious SQL query into a web application database query. SQLmap is an open source pen testing tool that can automate the process of exploiting vulnerable web apps. A successful SQL injection could allow an attacker to gain unauthorized access to the compromised database that contains sensitive data and to bypass application security mechanisms.

 

For example, an attacker can add, modify, and delete records in the compromised database. There have been many companies vulnerable to SQLi which has had severe effects on companies, including the top three open source content management systems: WorldPress, Drupal and Joomla.

 

To mitigate against SQL injection attacks, it is recommended to make database errors invisible to users in web pages and web applications.

Path Traversal

Path Traversal attack attempts to gain unauthorized access to files or directories which are placed outside of the root folder. This is achieved by inputting patterns such as “../” in the URL path.

A successful path-traversal could allow an attacker to improperly access site or user credentials, configuration files, databases or other sites co-located on the same physical machine. There have been numerous websites in which root folders have been manipulated to gain top access to local files, upload arbitrary files and perform XSS attacks.

Path traversal attack can be avoided by input validation.

Local File Inclusion (LFI)

LFI attack is when an attacker uses directory traversal to trigger a web application to execute a file residing on the server. Similar to SQLmap, Fimap is a python script that automates the process of exploiting local and remote file inclusion in web application.

The impact of exploiting a LFI vulnerability vary from full disclosure of information to a complete compromise of a system. Even in cases where the included code is not executed, it can still give an attacker valuable information, such as system version, to be able to compromise a system. There have been several cases of websites vulnerable to LFI including Eyes on Main, Winners Pizza and Oregon Airsoft.

It is recommended to whitelist input validation and use prepared statements with parameterized queries.

Distributed Denial of Service (DDoS)

A DDoS attack uses multiple compromised systems, through command and control botnets, to target a server with a huge amount of traffic to the point their services and infrastructure are unable to handle it. The purpose of a DDoS attack is to render availability.

In 2016, Mirai malware that turns networked devices running Linux into remotely controlled "bots", caused a DDoS attack on the Krebs on Security website which reached 620 Gbit/s. The result of this DDoS attack caused the security blog website to be offline for four days.

It is recommended to use a Web Application Firewall (WAF) to monitor network and block potential attacks.

Conclusion

There are various defensive methods that exist for each specific attack. The best practices that can be used to protect your applications and users include: code reviews to help spot vulnerable code early in the development phase and bug bounty programs to enable professional pen testers to find bugs in the website. Even with these best practices in place, you may still find yourself at risk.

QA specialises in an array of cyber offensive-defensive training courses that covers these web application attack in a ‘learn-by-doing’ approach. Our Cyber Defender and Capture The Flag Event allows delegates to see what it’s like to man a Security Operation Center (SOC), how to defend and attack, in a safe and controlled environment.