Popular Web Application Attacks and Recommendations


Web based attacks against organisations infrastructure are becoming more and more prolific, so this article aims to look at popular web application attacks and recommendations to ensure that you can identify, isolate and prevent attacks against your web infrastructure, including web applications and websites. Web application attacks are becoming more popular, with many organisations now aiming to bring services on line.

For example, in a paper entitled “Digital by Default”, the author lays out a plan to bring all Government services on line by default rather than offline by default in future years. This will lead right up from filling out tax returns, to applying for a new driving license and even signing onto job seekers allowance on line. This new approach will bring thousands of services on line over the coming years and, more worringly, millions of customers sensitive and private data. With this in mind, it is imperative to secure both these systems as well as traditional web applications such as banking and finance. This article will look into popular web application attacks and recommendations.

web application architecture

A typical web application architecture

What is a web based attack?

So, firstly we need to understand what constitutes a web based attack. Traditional network attacks focus on exploiting a network or host in order to gain a foothold in the network. A web based attack focuses primarily on layer 7 of the OSI model, or the application layer, to mount an attack. It is estimated that over 70% of attacks against web applications occur at the application layer.

Application layer attacks aim to exploit a weak configuration of an application in order to gain access to data within the web application. Depending on what this service is that can range from publicly accessible information through to private customer data such as personal info and credit card details. An example may be to exploit a poorly configured input field to input commands to extract user data from databases. We will explore this further in the next section.

Types of Web Application Attacks

Web application attacks can be broadly split into several different types that each define a different approach to compromising the service. The following section looks at these popular web application attack approaches in more detail:

1. Spoofing

Spoofing, a popular term in all kinds of traditional network attacks, involves pretending to be another legitimate user or process in order to gain access. For example, an attacker that crafts a HTTP request to steal another users session and therefore account information. This is a popular method of stealing a users session, pretending to be them and therefore accessing all kinds of their information, or in the case of a banking application, withdrawing/moving money.

2. Denial of Service (DoS)

Denial of Service, and Distributed Denial of Service (DDoS), attacks focus on preventing legitimate access to a web application. This type of web application attack involves sending high levels of traffic to the web application or website, therefore overflowing the websites ability to process traffic and crashing the server. DDoS attacks are highly publicised and have been prolific over the past few years, with attacks often targeting organisations and Government departments both for financial gain as well as to disrupt organisations they may not agree with.

There are multiple other approaches that are taken by attackers to compromise web applications and gain access to customer data. Further attacks may include:

3. Exploiting vulnerabilities in weak code

Another popular attack vector used by attackers is to exploit vulnerabilities in weak coding structures. Bespoke web applications will often be coded by organisations with usability, and profitability, in mind. Organisations simply wanting an effective web application for its users may forget to ensure that the application is written well and been tested appropriately for signs of vulnerabilities.

4. Legacy versions of software

As well as identifying vulnerabilities in bespoke software, attackers can also leverage vulnerabilities present in commercial software – especially if these applications rely on out of date versions with publicly disclosed vulnerabilities. This is more achievable from the attackers perspective if the version numbers are displayed on the web application itself. For example, a typical attack will initially consist of reconnaissance to check for any vulnerabilities to exploit – this may involve banner grabbing techniques. If the attacker see’s that an out of date version of software is used, for example a weak SSL version, then the attacker can attack this service, compromise it and use it to gain a foothold within the web application.

5 SQL Injection

A classic network attack, SQL injection relies on vulnerabilities present in the design of the web application. SQL injection is one of the most popular web application attacks as many organisations will be vulnerable to it based on poor design by default. For example, a designer who fails to bound input fields with appropriate lengths and input check validations may fall victim to SQL injection attacks.

SQL injection attacks involve inputting SQL commands to input fields present on web pages and web applications. This popular web application attack works by inputting SQL commands to the end of a field and extracting data directly from databases sitting behind the web application. Organisations wishing to mitigate this kind of risk need to ensure that input fields are appropriately configured to only accept a certain type of data and length to prevent the input of malicious commands.

sql injection attack example

A typical SQL injection attack, where SQL commands are allowed to be executed in the input field

Web Application Attack Recommendations

All is not lost, however, as organisations can implement controls to detect, isolate and prevent attacks against their online web applications if configured appropriately. Intrusion Detection, and Prevention, Systems can be configured to sit within the DMZ of an organisations network and detect attacks against the web infrastructure. IDS and IPS work at the network layer to detect network based attacks against services, data manipulation attacks on web applications and even multiple failed log in attempts to privileged accounts.

Reverse web proxies can be utilised to prevent attacks against application servers. The reverse web proxy will work as a calling port between the user and the web application and apply filters to prevent malicious commands or inappropriate content from going to the application. By standing between the user and the application, the reverse web proxy acts a barrier and any attacks can be passed through filters on the reverse web proxy. Advanced firewalls can be configured to be application aware, inspecting traffic for malicious commands or malformed packets. This should also be a consideration made by organisations when deciding to put web applications on line.

In conclusion, we have looked at popular web application attacks and recommendations to prevent organisations from being compromised. There are these and a multitude of other popular web application attacks that organisations need to be wary of, however, with an appropriate tiered web architecture and monitoring controls the risks to these services can be minimised. IDS and IPS is a starting point with an appropriately configured web proxy, however, organisations should continue to remain proactive – conducting penetration testing style attacks against their web applications externally and monitoring the risks to their service.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *