Common Web Security Threats

Web Security is about ensuring the data safety while transmission of data between the client and the server as well as stored data in the database , we can achieve the security in many ways ensuring the confidentiality , integrity and availability of the data

Confidentiality : Is all about ensuring that only an authorized application or user should able to access the data.

Integrity : during exchange of the data between the client and the server the data should not be altered and also when the data is stored in the database.

Availability : Where the data should be available to the users 24/7 with out any issues.

Some Common Web Security Threats are :

a. Injection Attacks :

When we talk about injection attacks we think about SQL Injection that is the first thing that strikes in our mind when we get the word "injection attack" , but there are also several injection attacks are there that includes command injection, html injection, LDAP injection , XPath injection and many more , these are quite and mostly occurred attacks out of which SQL injection is the main part that to be resolved.

For eg : A web application login form takes a username and password to login in to the account ,

SELECT * FROM users WHERE username = 'user1' AND password = 'password123';        

but when an malcious person enters the following inplace of the login details, Username: user1

Password: ' OR '1'='1

The Resulting Query was gonna changes to as following

SELECT * FROM users WHERE username = 'user1' AND password = '' OR '1'='1';        

where 1 = 1 is always true , hence user gets logged in, where to over come form the SQL injection the developer must write clean code for validating the input values before rendering in to the SQL command in order to over come this such type of attacks.

there is nothing much to talk about command injection , just stooping the users to ping the server can overcome from this attack , as these attacks are not commonly occurred.

b. cross-site scripting (xss) :

where some JavaScript files are injected in to the users viewing page and these script file run over there and extract all the useful and sensitive data , these xss vulnerabilities occurs due to improper validation of the user's input data. When web applications fail to validate, sanitize, or escape input, attackers can inject malicious scripts into:

• URLs
• Form fields (e.g., comments, search bars)
• Cookies
• HTTP headers

a. Input Validation and Sanitization

• Validate and sanitize all user inputs to ensure they don’t contain malicious code.
• Example: Strip out special characters like <, >, and &.

b. Use Secure Libraries and Frameworks

• Use frameworks like React, Angular, or Vue.js, which automatically escape user input by default.

There are so many ways in order to over come from the xss attacks.

XSS is a widespread and dangerous vulnerability that can have severe consequences, including data theft, session hijacking, and malware distribution. Preventing XSS requires a multi-layered approach, including proper input validation, output encoding, secure development practices, and regular security testing.

c. Cross-Site Request Forgery (CSRF) :

When an user logins in to an legitimate application , the website stores an authentication cookie in their browser . This cookie keeps the user logged in.The attacker sends the victim a malicious link or embeds a hidden request on a webpage that the victim visits (e.g., in an email, social media post, or another website). The victim unknowingly interacts with the malicious content, like clicking a link or loading a hidden form.When the victim’s browser sends the malicious request, it automatically includes the victim's authentication cookie (since they are still logged in). The trusted web application thinks this request is coming from the legitimate user. The web application processes the request (e.g., transferring money, changing account settings) without realizing it was initiated by an attacker.

To stop CSRF attacks, developers need to do the following things:

• Use CSRF tokens in forms.
• Set cookies with the SameSite attribute.
• Validate the Referer or Origin headers.

This ensures that only legitimate requests are processed.

d. Broken Authentication and Session Management :

This can be happen due to various reasons that occur when the mechanisms for user authentication and session handling in a web application are improperly implemented , this helps attackers to steal or find out the credentials easily. this may occur due weak password policies implemented by the applications or due to Session Fixation or due to Exposed Session Tokens or due to Insecure Logout Mechanism or due to Lack of Secure Transport (HTTPS) and many more reasons.

To Prevent Broken Authentication and Session Management Attacks the application needs to follow the following rules :

For Authentication:

1. Enforce Strong Password Policies
2. Implement Multi-Factor Authentication (MFA)
3. Rate Limiting and Account Lockout
4. Secure Credential Storage

For Session Management:

1. Use Secure Session Tokens
2. Implement Proper Session Expiration
3. Invalidate Sessions on Logout
4. Avoid Exposing Session Tokens
5. Force HTTPS for All Traffic

Additional Measures:

• Implement CAPTCHA: Protect against brute force attacks.
• Regular Security Testing: Perform penetration testing and vulnerability assessments.
• Audit and Monitor Logs: Detect suspicious login or session activity.

e.Man-in-the-Middle (MITM) Attack:

where an attacker sits in the middle of the client and the server and intercepts and manipulates the communication between them. for example there is a user interacting with the website and with out knowing that an attacker sits behind and stealing the data.

1.Use HTTPS (Secure Websites)

• Always ensure the website you visit starts with https://. This encrypts the data between your browser and the server.
• Look for the padlock icon in the browser address bar.

2. Avoid Public Wi-Fi for Sensitive Activities

• Do not log in to banking, email, or other sensitive accounts on public or free Wi-Fi networks.
• If necessary, use a Virtual Private Network (VPN) to secure your connection.

3. Enable Two-Factor Authentication (2FA)

• Even if an attacker gets your password, they won’t be able to access your account without the second factor, like an OTP sent to your mobile.

4. Verify Website URLs

• Be cautious of fake websites with slightly altered URLs (e.g., www.bank1.com instead of www.bank.com).

5. Keep Software Updated

• Regularly update your operating system, browser, and antivirus software to protect against known vulnerabilities.

6. Use Strong Encryption for Wi-Fi

• Always use a secure Wi-Fi connection at home with strong encryption (e.g., WPA3 or at least WPA2) and a complex password.

7. Watch for Warnings

If your browser shows a warning like "Your connection is not private", do not proceed to the website.

Enabling 2 factor authentication and using https protocol for the application the developer can overcome from this MITM attacks for the application users .

f.Distributed Denial of Service (DDoS) Attack:

Is a malicious attempt to make a website, application, or network unavailable to its users by overwhelming it with a massive amount of fake traffic. The goal is to disrupt the normal functioning of the targeted system, causing it to crash or become too slow to use.

how does this happens?

For example you're running an e-commerce website where during the festival season there will lost of customers visiting to the application at the same time the attacker tries to create a thousand or millions of fake visiting to crash the application using BOT's , such that real customers can’t access your store, leading to lost sales and frustration.

How to Prevent and Mitigate DDoS Attacks

Here’s how you can protect yourself from DDoS attacks:

1. Use a Content Delivery Network (CDN)

• A CDN distributes your website’s content across multiple servers worldwide. If one server is attacked, others can handle the traffic, reducing the impact.

2. Install a Web Application Firewall (WAF)

• A WAF monitors and filters incoming traffic, blocking malicious requests before they reach your server.

3. Implement Rate Limiting

• Limit the number of requests a user or IP address can make in a given time. This prevents bots from flooding your system with requests.

4. Use DDoS Protection Services

• Many companies, such as Cloudflare, Akamai, and AWS Shield, offer specialized DDoS protection services that can detect and block attacks.

5. Monitor Traffic Regularly

• Keep an eye on your network traffic. Sudden spikes in traffic could indicate an ongoing DDoS attack.

6. Strong Network Configuration

• Configure your network devices like routers and firewalls to detect and filter out abnormal traffic patterns.

7. Plan for High Traffic

• Design your system to handle higher-than-expected traffic by using scalable cloud-based servers.

g.File Inclusion Vulnerabilities:

Is a type of security flaw in a web application that allows attackers to include unauthorized files (from the server or external sources) in the application. This vulnerability occurs when the web application takes user input and uses it to load files without properly validating or sanitizing the input.

Imagine a student portal that allows users to view different resources (e.g., syllabus, previous question papers) using a URL like:

https://studentportal.com/resource.php?file=syllabus.pdf        

If the portal doesn’t validate the file parameter, an attacker could use:

https://studentportal.com/resource.php?file=../../../../etc/passwd        

This would display sensitive system files, leading to a security breach.

How to Prevent File Inclusion Vulnerabilities

1. Validate User Input
2. Disable Dynamic File Inclusion
3. Use Full File Paths
4. Restrict File Permissions

These are the most web security attacks that occurs if we don't take care while developing the application.