Basic Overview of Web Application Security Issues


Web application security is too wide a field to treat it comprehensively in this article. Hence, it focuses on the description of well-known attack vectors related to Web applications.

Attacks against a Web application can be blocked by eliminating vulnerabilities during implementation or by the use of upstream web application firewalls.

SQL Injection

In a SQL injection, the attacker sends connection requests to the server, the request parameters are provided with SQL control characters.

It starts the Web application control character by sending them as part of an SQL query to the database, the attacker can read it either in the conventional manner.

Cross-site scripting

Behind the name cross-site scripting (XSS) hide two (sometimes even a third type) fundamentally different attacks.

In cross-site scripting (XSS) attackers infiltrate the HTML control characters and code a client-side scripting language such as JavaScript in a web page that runs in the Web browser of the victim.

This attack takes advantage of vulnerabilities in the local execution of scripts or initiates a cross-site request forgery.

Server-side XSS refers to the smuggling of manipulated information in an application running on the Web server script, so that, for example in a dynamically generated include () file (possibly even from another server) executes.

Session Hijacking

Since HTTP is a connectionless protocol, the Web application, the identification of a user is done using a Session ID that is specified as Basic / Digest Authentication, Cookies, URL rewriting, or HTTP form parameters (GET or POST) for each request.

Session hijacking involves the attacker trying to gain knowledge of the session ID of the user, and then simulate the identity of the victim and the rights to access the Web application.

Cross-Site Request Forgery

Cross-Site Request Forgery presupposes an existing session between the user and the web application. The attacker uses various techniques (possibly XSS) or the user to move over a client-side scripts and direct the browser to call a malicious URL.

Unlike the session hijacking, the attacker obtains no knowledge of the session ID, since the attack takes place exclusively in the user’s browser.

E-mail injection

With an e-mail injection, the attacker adds a contact form in manipulated data so that instead of the message being sent to the intended recipient by the provider of the web application, it now emails are sent to any recipient. This option is usually abused for sending spam.

The following attacks are not against the Web application itself, but are commonly found in the environment:

Man-in-the-middle attack

In a man-in-the-middle attack (MitM) the attacker sets up a connection without the victim noticing.

The value in use is for the attacker is to manipulate redemptions requests to the Web application desired. Encryption of data transfer using SSL protection becomes necessary to combat this issue.

But this protection is also ineffective if the attacker can obtain an SSL certificate from the concerned website to which a root certificate is installed in the victim’s browser.

Denial of Service

In a denial of service (DoS) attack, the attacker tries to evade the Web server through a variety of connection requests.

The attack is carried out simultaneously by several (possibly several thousand) computers at the same time.

There is also a distributed denial-of-service (DDoS) attack . A DoS is not limited to web applications, but can be directed against any kind of server.


About the Author