# Attacks Against Web Applications

## **Attacks Against Web Applications**

Web applications are frequent targets for attackers due to their exposure and potential vulnerabilities. Below is an in-depth guide on common web application attacks, detection methods, examples of exploitation, and protection strategies.

***

## **1. SQL Injection (SQLi)**

**Description**:\
An attacker manipulates SQL queries by injecting malicious input, potentially gaining unauthorized access to sensitive data or modifying database content.

**Example Attack**:

* A web app requests data using:

  ```
  /user?id=2
  ```
* The attacker modifies the URL to:

  ```
  /user?id=2' OR '1'='1' UNION SELECT null, username, password FROM users --
  ```

**Outcome**:

* Exposes usernames and hashed passwords.

**Log Analysis**: Detect SQL Injection patterns:

```bash
cat access.log | grep -E "%27|--|union|select|insert|delete|drop|from|exec"
```

**Protection**:

* Use **prepared statements** and **parameterized queries**.
* Sanitize user inputs.
* Limit database user privileges to restrict access to sensitive data.

***

## **2. Broken Authentication and Session Management**

**Description**:\
Weak authentication or session management allows attackers to impersonate legitimate users by exploiting session tokens or credentials.

**Example Attack**:

* Attacker obtains a session cookie `session=abc123`.
* Modifies it to `session=admin`.
* Gains unauthorized admin access.

**Log Analysis**: Check for anomalous session activity:

```bash
grep "192.168.68.1" /var/log/access.log | grep "Set-Cookie"
```

**Protection**:

* Implement **secure session management**:
  * Use **HTTPOnly** and **Secure** cookie flags.
  * Implement **Multi-Factor Authentication (MFA)**.
* Rotate session IDs upon login/logout.
* Prevent XSS to protect session cookies.

***

## **3. Cross-Site Scripting (XSS)**

**Description**:\
An attacker injects malicious scripts into a web page, which are executed in the context of another user's browser.

**Example Attack**:

* Payload injected into a comment field:

  ```html
  <script>alert('XSS');</script>
  ```

**Outcome**:

* The script runs whenever the page is loaded, stealing cookies or performing unwanted actions.

**Log Analysis**: Look for suspicious script tags or encoded payloads:

```bash
cat access.log | grep -E "<script|%3Cscript|alert|document.cookie|onerror"
```

**Protection**:

* **Sanitize and validate inputs**:
  * Use whitelisting for allowed inputs.
* Implement **Content Security Policy (CSP)** to restrict script execution.
* Use output encoding (e.g., HTML entity encoding).

***

## **4. Security Misconfiguration**

**Description**:\
Applications are left vulnerable due to misconfigured security settings, default accounts, or outdated software.

**Example Attack**:

* Default credentials (e.g., `admin:admin`) allow unauthorized access to the admin panel.

**Log Analysis**: Monitor login attempts:

```bash
grep "POST /admin/login" /var/log/apache2/access.log | grep 401
```

**Protection**:

* Change default credentials.
* Disable unused services and ports.
* Regularly update and patch applications.

***

## **5. Cross-Site Request Forgery (CSRF)**

**Description**:\
CSRF exploits authenticated users by tricking them into executing unauthorized actions on a web app.

**Example Attack**: A malicious form on an external site submits a request to change the victim’s password:

```html
<form method="POST" action="http://victim-site.com/change_password">
  <input type="hidden" name="password" value="new_password">
  <button type="submit">Click me!</button>
</form>
```

**Outcome**:

* The victim's password is changed without their knowledge.

**Log Analysis**: Search for unusual form submissions:

```bash
grep "POST /change_password" /var/log/access.log
```

**Protection**:

* Use **anti-CSRF tokens**.
* Enforce **same-site cookies**.
* Validate **Referer** headers for critical operations.

***

## **General Protection Strategies**

### **1. Secure Coding Practices**

* Follow **OWASP** guidelines for secure application development.
* Conduct regular **code reviews** and **security testing**.

### **2. Logging and Monitoring**

* Enable detailed logging for access and error events.
* Use centralized logging platforms like **ELK Stack** or **Splunk** for real-time correlation and analysis.

### **3. Regular Updates and Patching**

* Ensure software, libraries, and frameworks are up-to-date.
* Monitor and patch known vulnerabilities using resources like **CVE** databases.

### **4. Web Application Firewall (WAF)**

* Deploy WAFs to detect and block common web attacks like SQLi, XSS, and CSRF.

### **5. Implement Least Privilege**

* Restrict user and service permissions to the minimum required level.
* Use **Role-Based Access Control (RBAC)** to limit exposure.

***

## Key Points

Web applications are critical but often vulnerable components of modern infrastructure. Understanding the nature of common attacks like **SQL Injection**, **XSS**, **CSRF**, and others is vital for proactive defense. By combining strong development practices, real-time monitoring, and robust security tools, organizations can significantly reduce their attack surface and protect sensitive data.