4 Common Web Application Security Attacks and What You Can Do to Prevent Them

1
4 COMMON WEB APPLICATION SECURITY ATTACKSAND WHAT
YOU CAN DO TO PREVENT THEM
2

• For a long period of time less malware was
  written targeting Mac operating systems than
  Windows. This led to a debate about whether this
  is because of the strength of Mac, or simply
  because there were more Windows users, making
  Windows more worth a hackers time. As the Mac OS
  has grown in popularity, there has been an
  increase in Trojans and other malware that can
  potentially infect Macs.
• Not only do browsers need to be protected against
  attacks, but the web application also needs to be
  protected.
• What Motivates Hackers?
• If you store sensitive user information in your
  database, users expect you to keep their
  information confidential. However, chances are
  right at this moment hackers are poking around
  your website to find a vulnerability to exploit.
  What are some of the motivations attackers might
  have?
• Proving they are a great hacker to the community
• Destroying your database and causing great loss
  to your company
• Stealing user data on the fly using a
  man-in-the-middle attack
• Downloading sensitive user information and
  selling it on the black market
• In the latter case, you might not even notice
  there was an attack, and the attacks might
  continue silently for a long period of time.
• What Makes an Application a Target?
• Different web applications have different
  functions and purposes, but all applications can
  be a target for hackers. What makes an
  application a target?
• Popularity  If you have a popular website, you
  get a great number of visits every second. You
  probably have many competitors too, and damage to
  your brand can help a competitor. Your websites
  performance and availability is one of the main
  advantages you have over all the others. Attacks
  on popular websites also tend to be more
  news-worthy if the hacker is looking for
  bragging rights.
• Protest/Politics  groups like Anonymous
  orchestrate attacks on government, religious and
  corporate websites for fun or to make a
  statement.
• Disgruntled employees  not all attacks are from
  the outside, often times attacks are orchestrated
  or assisted with the help of somebody on the
  inside.

3

• What Are the 4 Most Common Attacks?
• Hackers have a lot of choices for attack vectors,
  but here are the 4 most common things they try
  first
• Carry out SQL injection attacks to gain access to
  the database, spoof a users identity, and
  destroy or alter data in the database. SQL
  injection occurs when malicious SQL statements
  are inserted into form fields to try and gather
  information from the database. This information
  enables the hacker to access, modify or destroy
  information in the database. With SQL injection,
  a hacker can change the price of a product, and
  gain customer information such as credit cards
  numbers, passwords and contact information.
• Use Cross-Site Scripting (XSS) attacks to have
  browsers execute their malicious payloads to
  deface your website to promote their brand or
  their hacktivist ideals . XSS occurs when
  malicious code is injected into an application
  that executes on the client side.
• Make the site temporarily unavailable with
  a Distributed Denial of Service Attacks (DDoS).
  DDoS attacks generate requests from thousands of
  IP addresses in an attempt to flood a site with
  traffic, making it impossible for the server to
  respond to requests. DDoS attacks or bots can
  slow a site down or make it temporarily
  unavailable.
• Hijack trusted user sessions to make unwanted
  purchases on behalf of users with Cross Site
  Request Forgery (CSRF) attacks. CSRF attacks
  occur when a user is tricked into clicking a link
  or downloading an image that executes unwanted or
  unknown actions on an authenticated user session.

4

• How Should You Protect Your Assets and Users?
• There are different methods and tools that modern
  web application developers use to protect their
  website. There are solutions that exist for
  specific attacks, and best practices that can be
  used on an on-going basis to protect your
  applications and users. Code reviews, bug bounty
  programs and code scanners should be implemented
  throughout the application lifecycle. Code
  reviews can help spot vulnerable code early in
  the development phase, dynamic and static code
  scanners can do automatic checks for
  vulnerabilities, and bug bounty programs enable
  professional pen testers to find bugs in the
  website.
• Even with these best practices in place, you may
  still find yourself under attack.
• Attack-specific solutions include
• Using stored procedures with parameters that are
  automatically parameterized.
• Implementing CAPTCHA or prompting users to answer
  questions. This ensures that a form or request is
  being submitted by a human and not a bot.
• Use a Web Application Firewall (WAF) to monitor
  your network and block potential attacks.
• None of these methods can replace the other one
  each brings its own value to the table and adds
  protection against certain attack scenarios. You
  cannot find all vulnerabilities by code reviews
  or bug bounty programs, nor by a web application
  firewall alone no tool is 100 complete. A
  combination of all of these must be used to
  protect your application and users.

5
Instart Logic makes application delivery fast,
secure, and easy.
Instart Logic provides the first cloud
application delivery service in the world to
extend beyond the limited backend-only cloud
architectures of the past with an innovative,
intelligent end-to-end platform delivered as a
service.Our end-to-end platform combines
machine learning for performance and security
with a CDN for delivery. Designed for DevOps and
mobile-first applications.
Interested in learning more? Try it on your
site by creating an account for our free Starter
Edition service Preview our image optimization
capabilities in the Playground
Contact Sales