What are Web Application Vulnerabilities?
Figure 1. Web Application Vulnerabilities
- XSS – It is cross side scripting. It allows a malicious actor to embed a malicious script on a website usually in a comment section or in some place where user can add some data. When someone visits that page, they are redirected in the background with a malicious script.
- Information Leakage – It can be understood like if we do not turn the debug mode off when we take the web application from the development into production. At the time of error full error message is disclosed to the user which may contain secure information. It makes the web application vulnerable to hijacking.
- Weak Authentication – Weakly set usernames and passwords make the application easily vulnerable to hacking.
- CSRF – Cross site request forgery is almost same as XSS but is on server side.
- Predictability of Secure Interfaces – The security interfaces should be less predictable to be safer.
- SQL Injection – It is a web hacking technique used commonly to place malicious code in SQL statements.
- Insecure Session Handling – One should make sure that the session stake between the user and the server is secured and encrypted.
- Poor Development Practices – At the time of web application development security issues should be handled properly.
- Not Validating Untrusted Data – If there is any way through which user will input information, that data must always be seen and untrusted and should be validated.
What are Web Application Attack Techniques?
Figure 2. Techniques
- Denial of Service – It is the interruption in an authorized user’s access to a computer network, typically one caused with malicious intent.
- SQL Injection – It is making use of invalidated data that then runs a SQL script which presents data back to the user in the browser.
- Brute Force Login – It is basically guessing usernames and passwords.
- XSS – In this malicious scripting is used to redirect users to another malicious site.
- CSRF – It is same as XSS except that it is a server side attack.
- Form Tampering – It is when people put untrusted data in the forms and manipulate them.
- Buffer Overflow – It is making use of poor memory use in the application to make the application act erratically.
- Poor Error Handling – It is moving for e.g. leaving the debug mode on during development and allowing the attacker to get information.
- Session Hijacking – It is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.
What is the Impact of Web Application Attacks?
Figure 3. Attacks
- Reputational Harm
- Defacement
- Data Theft
- Malware Servicing
- Web Server Compromise
What are the countermeasures?
Figure4. Countermeasures
- Software Patches – One must patch the software from time to time.
- Software Hardening – It means that both server and software must perform the task they had to do.
- Vulnerability Scanning – Look for vulnerabilities on the web server.
- Web Application Firewalls – There should be a firewall to protect the web application from unwanted attacks.
- Restrict Remote Admin – One must try and obfuscate and hide the URL.
- Change Default Settings – If the application has default admin username and password it should be changed on time.
- Penetration Testing – It should be done to look for vulnerabilities across all applications.
- Constant Vigilance – Web applications must be monitored regularly to ensure that they are completely secured.
Ethical Hacking Tutorial – Hacking Web Application Theory Video: