Web Application Attacks – Types, Impact & Mitigation – Part-2


An assailant can trick a legitimate user to follow a link that has a session ID set into it. If the user follows the link then the session ID set by the assaulter will be sent out to the application in the cookie.

Insufficient Account Lockout and session timeout Policies.

While this is not, in and of itself, a bug, it is advised that these directories ought to be manually checked to guarantee that they remain in compliance with business security requirements and are not exposing any critical info.

Accept just server created session IDs.
Get previous Session Identifier from HTTP request.
If previous session ID is null, empty, or no session with Session ID= previous session ID exists, produce a new session.
Generate brand-new session identifier brand-new Session ID with a secure random number generator.
Identify the session with new session ID and no longer by previous session ID.
Send brand-new Session ID to customer.


An Attacker can draw out company-related internal info (Team member, area of information or backup) from application & & can carry out social engineering attack.

Directory Enumeration through Error Response.


After a certain number of stopped working login attempts, the users accounts must be handicapped for a certain duration of time or till it is opened by an administrator. If the user does not ask for a page or revitalize within the specific time period, application must end the session. It is advised to appoint timeout property (for e.g. 10 minutes) to the session things.

Likewise Read.

Inappropriate Error Handling– Information Disclosure.

When affected resources permit directory sites on web server to be noted.

when an application is not appropriately protecting application internal details & & exception error.

Any meta-characters must be filtered for, in all input accepting fields, both at client side along with sever side. Server side validation is mandatory. The recognition should not attempt to recognize active content and remove, filter, or sterilize it.

The severity of this vulnerability depends upon the details revealed in the directory sites. Some vital info concerning web services being used was revealed through directories being listed.

Guarantee that the whole software application advancement team shares a common approach to exception handling.
Disable or limit comprehensive error handling. In specific, do not display debug information to end users, stack traces, or path info.
Make sure that protected courses that have numerous results return similar or similar mistake messages in approximately the very same time. Think about enforcing a random wait time for all transactions to hide this information from the assailant if this is not possible.
Various layers may return remarkable or fatal outcomes, such as the database layer, the underlying web server (IIS, Apache, etc). It is crucial that mistakes from all these layers are properly checked and configured to prevent error messages from being exploited by burglars.
Be mindful that typical structures return different HTTP mistake codes depending on if the error is within your custom code or within the structures code. It is rewarding developing a default mistake handler which returns a properly sanitized mistake message for a lot of users in production for all mistake courses.
Overriding– Although security through obscurity, picking to override the default error handler so that it always returns “200” (OK) mistake screens reduces the ability of automated scanning tools from figuring out if a severe mistake occurred. While this is “security through obscurity,” it can offer an extra layer of defense.
Some larger organizations have chosen to include random/ distinct mistake codes among all their applications. This can assist the aid desk with finding the right solution for a specific mistake, however it might also enable enemies to figure out precisely which path an application stopped working.

Frame Injection.



Its advised to sensitive info should constantly be sent in POST demand instead of GET.

An incautious user may browse it and not understand that he is leaving the initial website and surfing to a malicious website. The opponent may then draw the user to visit once again, therefore obtaining his login qualifications.

when Application sends query specifications in GET request which is ruled out as a great practice.

You can part 3 Here.


) # # % %;; + +—-. Directory Listing Enabled.

When default error reactions are set on the remote web server.

Strength attack can be performed on the password based authentication system.

The application will then set this as the session ID of a genuine user. After this attacker can pirate the session and jeopardize the account of the genuine user with the assistance of the fixed session.

There are a lot of kinds of active material and too lots of methods of encoding it to get around filters for such content. Encoding user supplied output can likewise beat XSS vulnerabilities by avoiding inserted scripts from being transferred to users in an executable kind.

After a particular number of failed login attempts, the users accounts must be handicapped for a particular time period or until it is opened by an administrator. Likewise If the user does not revitalize or ask for a page within the particular period, application ought to end the session. It is recommended to assign timeout residential or commercial property (for e.g. 10 minutes) to the session object.

Account lockout is a security function often present in applications as a countermeasure to the brute force attack on the password-based authentication system of the application.



The application needs to be set up to filter meta-characters and unanticipated characters such Character Encoding< &< & lt; > &or > & &< > & gt; or > & & amp; or &” & quot; or” & apos; or (()

Query Parameter Sent In Get Request.

An assaulter can intercept the demand and control these specifications which can result in further attacks.

Such details can supply hackers important ideas on potential defects in the website and such messages are also disrupting to typical users. Even when error messages do not provide a great deal of information, inconsistencies in such messages can still expose crucial ideas on how a website works.


Incorrect handling of errors can introduce a variety of security issues for a web site. The most common problem is when detailed internal mistake messages such as stack traces, database dumps, and mistake codes are shown to the user.


It is recommended that web server need to be set up with a personalized and common error reaction in place of 404 and 403 mistake reactions. This personalized mistake response need to not reveal any information related to the web server, underlying OS or the webserver files/directories.

Session Fixation.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

when an aggressor inject a frame or an IFrame tag with harmful content which looks like the attacked website.

The application must perform recognition of all headers, cookies, query strings, form fields, and concealed fields (i.e., all parameters) against a strenuous spec of what should be allowed.




Session Fixation
Frame Injection
Directory Site Listing Enabled
Inquiry Parameter Sent In Get Request
Insufficient Account Lockout and session timeout Policies
Improper Error Handling– Information Disclosure
Directory Enumeration by means of Error Response.


The session fixation attack is a class of Session Hijacking, which takes the established session between the web and the client Server after the user logs in. Rather, the Session Fixation attack repairs an established session on the victims internet browser, so the attack begins before the user logs in.

Improper handling of errors can introduce a variety of security issues for a website. The most typical issue is when detailed internal error messages such as stack traces, database disposes, and mistake codes are displayed to the user. These messages reveal execution information that ought to never ever be revealed.

when application doesnt have account lockout protection limit mechanism set up. When session time-out is not set in application.

The Web server responds with the default error reaction for mistakes like “file/directory not found “, “forbidden gain access to” and so on. With this configuration, an opponent can identify the existing files/ directories as the default 403 errors verify that the files really exist.

Access to such directories/ information needs to always be protected by putting authentication; permission and gain access to control or if not essential then remove them from web directory site.


With this short article, we list a few of the common web application attacks, impacts, and possible mitigation. In part -2 we are covering the following attacks.