4 Common Web Application Security Attacks and What You can Do to Prevent Them
For a long period of time less malware was written targeting Mac operating systems than Windows. This led to a debate about whether this is because of the strength of Mac, or simply because there were more Windows users, making Windows more worth a hacker’s time. As the Mac OS has grown in popularity, there has been an increase in Trojans and other malware that can potentially infect Macs.
Not only do browsers need to be protected against attacks, but the web application also needs to be protected.
What Motivates Hackers?
If you store sensitive user information in your database, users expect you to keep their information confidential. However, chances are right at this moment hackers are poking around your website to find a vulnerability to exploit. What are some of the motivations attackers might have?
- Proving they are a great hacker to the community
- Destroying your database and causing great loss to your company
- Stealing user data on the fly using a man-in-the-middle attack
- Downloading sensitive user information and selling it on the black market
In the latter case, you might not even notice there was an attack, and the attacks might continue silently for a long period of time.
What Makes an Application a Target?
Different web applications have different functions and purposes, but all applications can be a target for hackers. What makes an application a target?
- Popularity – If you have a popular website, you get a great number of visits every second. You probably have many competitors too, and damage to your brand can help a competitor. Your website’s performance and availability is one of the main advantages you have over all the others. Attacks on popular websites also tend to be more news-worthy if the hacker is looking for “bragging rights.”
- Protest/Politics – groups like Anonymous orchestrate attacks on government, religious and corporate websites for fun or to make a statement.
- Disgruntled employees – not all attacks are from the outside, often times attacks are orchestrated or assisted with the help of somebody on the inside.
What Are the 4 Most Common Attacks?
Hackers have a lot of choices for attack vectors, but here are the 4 most common things they try first:
- Carry out SQL injection attacks to gain access to the database, spoof a user’s identity, and destroy or alter data in the database. SQL injection occurs when malicious SQL statements are inserted into form fields to try and gather information from the database. This information enables the hacker to access, modify or destroy information in the database. With SQL injection, a hacker can change the price of a product, and gain customer information such as credit cards numbers, passwords and contact information.
- Use Cross-Site Scripting (XSS) attacks to have browsers execute their malicious payloads to deface your website to promote their brand or their hacktivist ideals . XSS occurs when malicious code is injected into an application that executes on the client side.
- Make the site temporarily unavailable with a Distributed Denial of Service Attacks (DDoS). DDoS attacks generate requests from thousands of IP addresses in an attempt to flood a site with traffic, making it impossible for the server to respond to requests. DDoS attacks or bots can slow a site down or make it temporarily unavailable.
- Hijack trusted user sessions to make unwanted purchases on behalf of users with Cross Site Request Forgery (CSRF) attacks. CSRF attacks occur when a user is tricked into clicking a link or downloading an image that executes unwanted or unknown actions on an authenticated user session.
How Should You Protect Your Assets and Users?
There are different methods and tools that modern web application developers use to protect their website. There are solutions that exist for specific attacks, and best practices that can be used on an on-going basis to protect your applications and users. Code reviews, bug bounty programs and code scanners should be implemented throughout the application lifecycle. Code reviews can help spot vulnerable code early in the development phase, dynamic and static code scanners can do automatic checks for vulnerabilities, and bug bounty programs enable professional pen testers to find bugs in the website.
Even with these best practices in place, you may still find yourself under attack.
Attack-specific solutions include:
- Using stored procedures with parameters that are automatically parameterized.
- Implementing CAPTCHA or prompting users to answer questions. This ensures that a form or request is being submitted by a human and not a bot.
- Use a Web Application Firewall (WAF) to monitor your network and block potential attacks.
None of these methods can replace the other one – each brings its own value to the table and adds protection against certain attack scenarios. You cannot find all vulnerabilities by code reviews or bug bounty programs, nor by a web application firewall alone; no tool is 100% complete. A combination of all of these must be used to protect your application and users.