Friday, October 4, 2024
HomeWeb ApplicationsWeb Application Attacks - Types, Impact & Mitigation - Part-1

Web Application Attacks – Types, Impact & Mitigation – Part-1

Published on

With this article, we list some of the common web application attacks, impacts, and possible mitigation. In part -1 we are covering the following attacks.

  • Local File Inclusion
  • Malicious File Upload
  • Clear Text Traffic
  • Http parameter pollution attack
  • Link Injection
  • Session ID without session attribute
  • Auto-Complete Attribute Not Set to Off

Local File Inclusion

Local File Inclusion is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized and allows directory traversal characters to be injected.

Impact

An attacker can gain access to the server and launch further attacks to compromise the service.

- Advertisement - EHA

Mitigation

It is recommended to filter metacharacters from user input. Ensure that the latest version of the webserver is installed and all patches have been applied.

Malicious File Upload

 when the application has options to upload files. The application allows executable files also to be uploaded. This would allow an adversary to upload a malicious file to the web server and attempt to execute it.

Impact

An attacker may be able to upload malicious files like Trojans or files with a malicious server-side script, potentially leading to server compromise

Mitigation

It is recommended implementing server side validation routine which performs filtering based on:

a) File extensions, b) Content-Types, c) Magic Numbers, d) File Size

The application should validate the type of the file that is uploaded by the user prior to accepting and parsing the file. more, all files uploaded should be scanned by anti-virus software updated with the latest signatures and to remove execute permissions on your file upload directory

Clear Text Traffic

when entire traffic is served over HTTP. A man in the middle can obtain a lot of sensitive information by sniffing this cleartext traffic.

Impact

An attacker who is able to sniff network traffic may obtain sensitive information.

Mitigation

It is recommended to implement TLS1.1, TLS 1.2 encryption

Http Parameter Pollution Attack

HTTP Parameter Pollution pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application.

This attack can be realized is because the input is not sanitized. HPP injects encoded query string delimiters in existing or other HTTP parameters (i.e. GET/POST/Cookie), which make it feasible to supersede parameter values that already exist to inject a new parameter or exploit variables from direct access.

Impact

  •  Supersede existing hardcoded HTTP parameters.
  • Alter or modify the intended/normal application behavior.
  • Access and potentially exploit variables that are not been controlled properly.
  • Bypass WAF’s rules or input validation mechanisms.

Mitigation

proper input validation should be performed

Link Injection

when Application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.

Impact

The user may be redirected to an un-trusted page that contains malware which may then compromise the user’s machine or for phishing attacks. URL redirection also facilitates CSRF(Cross-Site Request Forgery)

Mitigation

It’s recommended to disable redirection to external sites based on parameter values and implement input validation for critical parameters.

Session ID without session attribute

session attributes such as “HTTPOnly”, “Secure” & “Domain” name are not set with Session IDs.

Impact

The “HTTPOnly” attribute make sure that the cookies can be accessed via HTTP methods only. Without this attribute, other entities (mainly java code) can be used to access the cookies.

This increases the threat posed by XSS attacks as the cookies can be stolen using them. However, if this attribute is applied, java scripts cannot access the session cookies.

Without “Secure” attribute the application can transfer the session cookie over unencrypted channel

Without “Domain” attribute the cookie can be used by other domains and facilitate cross-site request forgery.

Mitigation

It’s recommended to set the session attributes such as HTTPOnly, Secure and Domain Name with Session ID.

Auto-Complete Attribute Not Set to Off

The value of the “AutoComplete” attribute is not set to “off”. This allows browsers to store information entered by the user in the cache memory.

Impact

An attacker may use this flaw to recover the entered “username” and “password” from the browser cache.

Mitigation

  1. The attribute “autocomplete” should be added to the source code for all the input fields accepting sensitive information
  2. And the value of this attribute should be set to “off”

You can read the Part 2 here.

Related Read

Top 8 Best Web Security and Hacking Software for Security Professionals in 2020

Most Important Web Server Penetration Testing Checklist

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Gesture Jacking – New Attack That Deceives Website Visitors

The Web Platform is incredibly powerful, but regrettably, malicious websites will do all in...

Web Server Penetration Testing Checklist – 2024

Web server pentesting is performed under three significant categories: identity, analysis, and reporting vulnerabilities such as...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...