Attacks Against Web Applications

Attacks Against Web Applications

Web applications are frequent targets for attackers due to their exposure and potential vulnerabilities. Below is an in-depth guide on common web application attacks, detection methods, examples of exploitation, and protection strategies.

1. SQL Injection (SQLi)

Description: An attacker manipulates SQL queries by injecting malicious input, potentially gaining unauthorized access to sensitive data or modifying database content.

Example Attack:

  • A web app requests data using:

    /user?id=2

  • The attacker modifies the URL to:

    /user?id=2' OR '1'='1' UNION SELECT null, username, password FROM users --

Outcome:

  • Exposes usernames and hashed passwords.

Log Analysis: Detect SQL Injection patterns:

cat access.log | grep -E "%27|--|union|select|insert|delete|drop|from|exec"

Protection:

  • Use prepared statements and parameterized queries.

  • Sanitize user inputs.

  • Limit database user privileges to restrict access to sensitive data.

2. Broken Authentication and Session Management

Description: Weak authentication or session management allows attackers to impersonate legitimate users by exploiting session tokens or credentials.

Example Attack:

  • Attacker obtains a session cookie session=abc123.

  • Modifies it to session=admin.

  • Gains unauthorized admin access.

Log Analysis: Check for anomalous session activity:

grep "192.168.68.1" /var/log/access.log | grep "Set-Cookie"

Protection:

  • Implement secure session management:

    • Use HTTPOnly and Secure cookie flags.

    • Implement Multi-Factor Authentication (MFA).

  • Rotate session IDs upon login/logout.

  • Prevent XSS to protect session cookies.

3. Cross-Site Scripting (XSS)

Description: An attacker injects malicious scripts into a web page, which are executed in the context of another user's browser.

Example Attack:

  • Payload injected into a comment field:

    <script>alert('XSS');</script>

Outcome:

  • The script runs whenever the page is loaded, stealing cookies or performing unwanted actions.

Log Analysis: Look for suspicious script tags or encoded payloads:

cat access.log | grep -E "<script|%3Cscript|alert|document.cookie|onerror"

Protection:

  • Sanitize and validate inputs:

    • Use whitelisting for allowed inputs.

  • Implement Content Security Policy (CSP) to restrict script execution.

  • Use output encoding (e.g., HTML entity encoding).

4. Security Misconfiguration

Description: Applications are left vulnerable due to misconfigured security settings, default accounts, or outdated software.

Example Attack:

  • Default credentials (e.g., admin:admin) allow unauthorized access to the admin panel.

Log Analysis: Monitor login attempts:

grep "POST /admin/login" /var/log/apache2/access.log | grep 401

Protection:

  • Change default credentials.

  • Disable unused services and ports.

  • Regularly update and patch applications.

5. Cross-Site Request Forgery (CSRF)

Description: CSRF exploits authenticated users by tricking them into executing unauthorized actions on a web app.

Example Attack: A malicious form on an external site submits a request to change the victim’s password:

<form method="POST" action="http://victim-site.com/change_password">
  <input type="hidden" name="password" value="new_password">
  <button type="submit">Click me!</button>
</form>

Outcome:

  • The victim's password is changed without their knowledge.

Log Analysis: Search for unusual form submissions:

grep "POST /change_password" /var/log/access.log

Protection:

  • Use anti-CSRF tokens.

  • Enforce same-site cookies.

  • Validate Referer headers for critical operations.

General Protection Strategies

1. Secure Coding Practices

  • Follow OWASP guidelines for secure application development.

  • Conduct regular code reviews and security testing.

2. Logging and Monitoring

  • Enable detailed logging for access and error events.

  • Use centralized logging platforms like ELK Stack or Splunk for real-time correlation and analysis.

3. Regular Updates and Patching

  • Ensure software, libraries, and frameworks are up-to-date.

  • Monitor and patch known vulnerabilities using resources like CVE databases.

4. Web Application Firewall (WAF)

  • Deploy WAFs to detect and block common web attacks like SQLi, XSS, and CSRF.

5. Implement Least Privilege

  • Restrict user and service permissions to the minimum required level.

  • Use Role-Based Access Control (RBAC) to limit exposure.

Key Points

Web applications are critical but often vulnerable components of modern infrastructure. Understanding the nature of common attacks like SQL Injection, XSS, CSRF, and others is vital for proactive defense. By combining strong development practices, real-time monitoring, and robust security tools, organizations can significantly reduce their attack surface and protect sensitive data.

PreviousAttacks on Web ServersNextVulnerabilities on Servers

Last updated