Web application security is a central component of any web-based business. The global nature of the Internet exposes web properties to attack from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications and web services such as APIs.
XSS is a vulnerability that allows an attacker to inject client-side scripts into a web page in order to access important information directly, impersonate the user, or trick the user into revealing important information.
Sqi is a method by which an attacker exploits vulnerabilities in the way a database executes search queries. Attackers use Sqi to gain access to unauthorized information, modify or create new user permissions, or otherwise manipulate or destroy sensitive data.
Buffer overflow is an anomaly that occurs when software writing data to a defined space in memory known as a buffer. Overflowing the buffer’s capacity results in adjacent memory locations being overwritten with data. This behavior can be exploited to inject malicious code into memory, potentially creating a vulnerability in the targeted machine.
Cross site request forgery involves tricking a victim into making a request that utilizes their authentication or authorization. By leveraging the account privileges of a user, an attacker is able to send a request masquerading as the user. Once a user’s account has been compromised, the attacker can exfiltrate, destroy or modify important information. Highly privileged accounts such as administrators or executives are commonly targeted.
Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.
The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level. This may be combined with an extortion threat of a more devastating attack unless the company pays a cryptocurrency ransom. In 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted banks, web host providers, and others in this way.
Different than specific attack vectors, a data breach is a general term referring to the release of sensitive or confidential information, and can occur through malicious actions or by mistake. The scope of what is considered a data breach is fairly wide, and may consist of a few highly valuable records all the way up to millions of exposed user accounts.
Most web applications limit what users can see or do, whether it is accessing another user’s personal data or a restricted area.
However, the access control mechanisms that enforce these limits are usually bespoke implementations and often deeply flawed. Attackers can bypass these controls or abuse them to access unauthorized functionality or data, such as access other users’ accounts, view sensitive files, modify other users’ data, perform administrative actions, and more.
While we try to make our systems immune to all possible attacks, realistically we need to accept that some attacks will get through our defenses. However, a resilient defense should include several layers. This includes the possibility of detecting those attacks that succeeded despite all our efforts, preferably as soon as possible.