Introduction to Web Application Security

Web application security is, or should be, high on the agenda for any web-based business. The very nature of the Internet exposes web sites to attack from any location on the planet potentially leading to a data breach.

A data breach is a general term referring to unauthorised access of sensitive or confidential information and can occur through malicious actions or human error. The scope of what is considered a data breach can be fairly wide and may relate to few highly valuable records all the way up to millions of exposed user accounts.

Typical attacks against web applications range from large-scale network disruption to targeted database manipulation. Attacks work by exploiting vulnerabilities in web application code as well the supporting infrastructure and associated web services such as APIs. Following are some of the more common security vulnerabilities used to attack web applications?

SQL injection

SQL Injection is a method which attackers use to exploit vulnerabilities in the way an SQL database executes search queries. Attackers can use SQL Injection to gain unauthorised access and to modify or destroy information as well as change user permissions to enable deeper penetration into the network.

Cross site scripting (XSS)

A cross site scripting vulnerability can allow an attacker to inject scripts into a webpage and impersonate the user or trick the user into revealing important information.

Denial of service (DoS) attacks

Denial of Service can act through a variety of attack vectors.  An attacker can overload a web server or its surrounding technical infrastructure with large volumes of network traffic. When the server is no longer able to effectively process incoming requests, it begins respond more slowly and eventually deny service to incoming requests from legitimate users.

Memory corruption

Memory corruption happens when a location in memory is unintentionally modified. This can lead to unexpected behavior in the software running on the server. Attackers can attempt to sniff out and exploit memory corruption through exploits such as code injections and buffer overflow attacks.

Buffer overflow

Buffer overflow occurs when software writing data to a defined memory space known as a buffer. Overflowing the buffer results in adjacent memory locations being overwritten with data. This phenomenon can be exploited to inject malicious code into memory, potentially creating a vulnerability in the targeted server.

Cross-site request forgery (CSRF)

A Cross site request forgery attack involves tricking a target user into making a request that utilises their authentication or authorisation. By adopting the account privileges of the target user, the attacker is able to send a request masquerading as the user. Once a user’s account has been compromised, the attacker can exfiltrate, destroy or modify important information. Highly privileged accounts such as administrators or executives are commonly targeted.

How can I mitigate vulnerabilities web application?

Protecting web apps from exploitation can include applying updates to patch discovered vulnerabilities and proper authentication and using up-to-date encryption as well as having good software development hygiene. The reality is that clever attackers may be able to find vulnerabilities even in a fairly robust security environment, and a holistic security strategy is recommended.

Using a WAF to protect against Application Layer attacks

A web application firewall or WAF helps protect a web application against malicious HTTP traffic. By acting as a filter between the targeted server and the attacker, the WAF is able to identify and protect against attacks like cross site forgery, cross site scripting and SQL injection.

DDoS mitigation

A Commonly used method for disrupting a web application is the use of distributed denial-of-service or DDoS attacks. A DDoS mitigation service can work through a variety of strategies including dropping attack traffic at the network edge and allowing legitimate requests without a loss of service. Learn how

DNS Security

The domain name system or DNS can be thought of as the phonebook of the Internet. It is the way that web browsers or other web services look the IP address of the web server based on its web address or URL. Attackers may attempt to hijack this DNS request process through DNS cache poisoning, man-in-the-middle attacks and other methods of interfering with the DNS lookup process. If DNS is the phonebook of the Internet, then DNSSEC is unspoofable caller ID as it encrypts the DNS lookup process.