Defending Against Common Types of Web Application Attacks

Web application attacks are on the rise and studies show they are one of be the biggest causes of data breaches. Nearly half (43%) of 3,950 data breaches were traced to attacks against web applications, in one report, a number that doubled from 2019 to 2020.[i] Because these attacks are becoming more common, it’s important for organizations to know what they’re up against, how to mitigate risks and how to secure websites against them.

What Is a Web Application?

A web application is software that runs on a web server and can be accessed by a user through a web browser with an active internet connection. This differs from local software apps, which run directly on a user’s device. Web applications are usually easy to install on the user’s end, and can often be customized to meet a business’s specifications. Web application examples include hosted email and messaging, content management systems and e-commerce services.

When a user accesses a web application, it triggers a request to the web server over the internet. The web application queries a content database, then generates content according to the client’s (user’s machine’s) request. The web application server sends the results back to the web server, which interprets and runs the scripts and displays the requested content on the user’s display.

Why Are Web Applications Vulnerable to Attacks?

Web applications can be exposed to attacks for a variety of reasons, including system flaws that stem from improper coding, misconfigured web servers, application design flaws or failure to validate forms. These weaknesses and vulnerabilities allow attackers to gain access to databases that can contain sensitive information. Because web applications must be available to customers at all times, they’re an easy target for attackers to exploit.

Cloud containers, which package application software with the elements needed to run it, have recently been identified as particularly vulnerable when they are not properly secured or they include insecure elements.[ii] The use of open source code and reliance on application programming interfaces (APIs) have also been exacerbating security issues.[iii]

Common Types of Web Application Attacks

Web applications can be attacked through a variety of vectors. Common types of web attacks include cross-site scripting, SQL injection, path traversal, local file inclusion and distributed denial of service (DDoS) attacks.

• Cross-site scripting (XSS): In an XSS attack, an attacker injects a piece of malicious code onto a trusted website or web-based app. Because the user’s browser thinks the script came from a trusted source, it will execute the script. XSS attacks can be used to steal data or perform other malicious acts on the visitor’s computer. While this method is considered unsophisticated, it’s common and can do significant harm.
• SQL injection (SQLI): SQLIs occur when an attacker meddles with the queries that a web application makes to its database. An SQLI can allow intruders to get sensitive data from the database. An attacker might modify or delete this data, or inject code that can change the web application's content or behavior.
• Path traversal: This attack, also known as directory traversal, allows the bad actor to manipulate paths to folders outside the web root folder, which can then be used to access web application files, directories and commands.
• Local file inclusion: This technique tricks the web application into exposing or running its files on the web server. These attacks occur when the web app treats a malicious attack as “trusted input.” An attacker may use path or directory traversal to learn about the files on the server, and then prompt the web app to run the local file. Local file inclusions can lead to information disclosure, XSS and remote code execution.
• DDoS attacks: These attacks happen when an attacker bombards a server with web requests. Attackers may use a network of compromised computers or bots to mount this attack, which can paralyze a server and prevent legitimate visitors from gaining access to your services.
• Cross-site request forgery (CSRF): CSRFs occur when an attacker tricks or forces an end user to execute unwanted actions on an application in which they are already authenticated. This might be executed through a link via email or chat and, if successful, can result in a transfer of funds or change in email address, for example.
• XML external entity (XXE): This attack relies on an improperly configured XML parser within an application’s code. This attack can lead to the disclosure of confidential data like passwords, denial of service, server-side request forgery and other system impacts.

Tips to Protect Against Website Attacks

Even though there are a variety of web application attacks, there are also processes, technologies and methods to protect against them. Different approaches to web application security address different vulnerabilities.

• Automated vulnerability scanning and security testing help organizations find, analyze and mitigate vulnerabilities and misconfigurations — hopefully before the actual attack occurs. This testing helps organizations identify security weaknesses that need to be resolved.
• Web application firewalls are hardware and software solutions that protect against application security threats by filtering, monitoring and blocking malicious traffic from traveling to the web application. These tools are continuously updated with new rules designed to catch the latest attack and exploitation techniques.
• Secure development testing is a practice in which security teams consider the threats and attacks that might have an impact on an application or product to help make it as secure as possible. Secure development testing can uncover the latest security risks and attack vectors early in the product lifecycle. It also helps in developing effective approaches to preventing website attacks and minimizing the consequences of breaches.

The Bottom Line

Web application attacks can be devastating events for organizations, which is why it is crucial to understand the types of attacks that can occur as well as how to best secure web applications. With proper development, testing and security processes and programs in place, businesses can mitigate risks and protect their web applications against it.

[i] “2020 Data Breach Investigation Report,” Verizon

[ii] “96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities,” ZDNet

[iii] “The State of Application Security, 2021,” Forrester