Title: 4 Common Web Application Security Attacks and What You Can Do to Prevent Them
14 COMMON WEB APPLICATION SECURITY ATTACKSAND WHAT
YOU CAN DO TO PREVENT THEM
2- For a long period of time less malware was
written targeting Mac operating systems than
Windows. This led to a debate about whether this
is because of the strength of Mac, or simply
because there were more Windows users, making
Windows more worth a hackers time. As the Mac OS
has grown in popularity, there has been an
increase in Trojans and other malware that can
potentially infect Macs. - Not only do browsers need to be protected against
attacks, but the web application also needs to be
protected. - What Motivates Hackers?
- If you store sensitive user information in your
database, users expect you to keep their
information confidential. However, chances are
right at this moment hackers are poking around
your website to find a vulnerability to exploit.
What are some of the motivations attackers might
have? - Proving they are a great hacker to the community
- Destroying your database and causing great loss
to your company - Stealing user data on the fly using a
man-in-the-middle attack - Downloading sensitive user information and
selling it on the black market - In the latter case, you might not even notice
there was an attack, and the attacks might
continue silently for a long period of time. - What Makes an Application a Target?
- Different web applications have different
functions and purposes, but all applications can
be a target for hackers. What makes an
application a target? - Popularity If you have a popular website, you
get a great number of visits every second. You
probably have many competitors too, and damage to
your brand can help a competitor. Your websites
performance and availability is one of the main
advantages you have over all the others. Attacks
on popular websites also tend to be more
news-worthy if the hacker is looking for
bragging rights. - Protest/Politics groups like Anonymous
orchestrate attacks on government, religious and
corporate websites for fun or to make a
statement. - Disgruntled employees not all attacks are from
the outside, often times attacks are orchestrated
or assisted with the help of somebody on the
inside.
3- What Are the 4 Most Common Attacks?
- Hackers have a lot of choices for attack vectors,
but here are the 4 most common things they try
first - Carry out SQL injection attacks to gain access to
the database, spoof a users identity, and
destroy or alter data in the database. SQL
injection occurs when malicious SQL statements
are inserted into form fields to try and gather
information from the database. This information
enables the hacker to access, modify or destroy
information in the database. With SQL injection,
a hacker can change the price of a product, and
gain customer information such as credit cards
numbers, passwords and contact information. - Use Cross-Site Scripting (XSS) attacks to have
browsers execute their malicious payloads to
deface your website to promote their brand or
their hacktivist ideals . XSS occurs when
malicious code is injected into an application
that executes on the client side. - Make the site temporarily unavailable with
a Distributed Denial of Service Attacks (DDoS).
DDoS attacks generate requests from thousands of
IP addresses in an attempt to flood a site with
traffic, making it impossible for the server to
respond to requests. DDoS attacks or bots can
slow a site down or make it temporarily
unavailable. - Hijack trusted user sessions to make unwanted
purchases on behalf of users with Cross Site
Request Forgery (CSRF) attacks. CSRF attacks
occur when a user is tricked into clicking a link
or downloading an image that executes unwanted or
unknown actions on an authenticated user session.
4- How Should You Protect Your Assets and Users?
- There are different methods and tools that modern
web application developers use to protect their
website. There are solutions that exist for
specific attacks, and best practices that can be
used on an on-going basis to protect your
applications and users. Code reviews, bug bounty
programs and code scanners should be implemented
throughout the application lifecycle. Code
reviews can help spot vulnerable code early in
the development phase, dynamic and static code
scanners can do automatic checks for
vulnerabilities, and bug bounty programs enable
professional pen testers to find bugs in the
website. - Even with these best practices in place, you may
still find yourself under attack. - Attack-specific solutions include
- Using stored procedures with parameters that are
automatically parameterized. - Implementing CAPTCHA or prompting users to answer
questions. This ensures that a form or request is
being submitted by a human and not a bot. - Use a Web Application Firewall (WAF) to monitor
your network and block potential attacks. - None of these methods can replace the other one
each brings its own value to the table and adds
protection against certain attack scenarios. You
cannot find all vulnerabilities by code reviews
or bug bounty programs, nor by a web application
firewall alone no tool is 100 complete. A
combination of all of these must be used to
protect your application and users.
5Instart Logic makes application delivery fast,
secure, and easy.
Instart Logic provides the first cloud
application delivery service in the world to
extend beyond the limited backend-only cloud
architectures of the past with an innovative,
intelligent end-to-end platform delivered as a
service.Our end-to-end platform combines
machine learning for performance and security
with a CDN for delivery. Designed for DevOps and
mobile-first applications.
Interested in learning more? Try it on your
site by creating an account for our free Starter
Edition service Preview our image optimization
capabilities in the Playground
Contact Sales