Web Application Attacks – Types, Impact & Mitigation – Part-4


With this short article, we list a few of the typical web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks


Clickjacking is an attack that tricks a user into clicking a website aspect that is unnoticeable or disguised as another aspect. Clickjacking is an attack where the assailant techniques the user into clicking one link that routes to another page.

clickjacking involves matching a login and password type on a site. An attacker might also select to redirect the clicks to download malware or gain access to vital systems

Strict transportation security not implemented
Failure to limit URL access
Criterion Manipulation
URL Redirection



The header offers the site owner with control over making use of iframes or items so that inclusion of a web page within a frame can be forbidden with the deny directive:

Web Application Attacks– Types, Impact & & Mitigation– Part-3.


Enable HTTP Strict Transport Security (HSTS) by adding an action header with the name Strict-Transport-Security and the value max-age= expireTime, where expireTime is the time in seconds that internet browsers need to keep in mind that the site needs to just be accessed utilizing HTTPS.

It is recommended not to serve internal pages without appropriate authentication and permission checks. It is likewise recommended to configure strong session management. http://cwe.mitre.org/data/definitions/285.html.


when the application fails to prevent users from linking to it over unencrypted connections. HTTP strict transport security HTTS is a security policy implemented in web servers which are to interact with it utilizing just safe and secure (HTTPS) connections.

An assailant can access and steal sensitive information without any authentication.

An attacker can impersonate other users and access/perform unauthorized activities.



Strict-Transport-Security: max-age= 31536000; includeSubDomains.

It is advised to carry out server-side mapping of a user to accessibility. The features apply to different opportunity levels ought to available strictly to those level users just.

X-Frame-Options: sameorigin.

when an application shops an URL in a criterion while permitting the user to navigate between pages.

Parameter Manipulation.

X-Frame-Options: deny

URL Redirection.

To exploit this vulnerability, an opponent should be appropriately placed to intercept and modify the victims network traffic. an assailant can control pages in the unsecured location of the application or change redirection targets in a manner that the switch to the secured page is not performed or performed in a manner, that the assailant remains between client and server.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.


Alternatively, framing can be restricted to the same origin as the site utilizing the sameorigin instruction.

Content Security Policy (CSP) is a detection and prevention system that provides mitigation against clickjacking.

Likewise Read.

Failure to restrict URL gain access to.

The application needs to enable redirection only to white list of URLs.

Any other user should not be approved access to it. It is likewise recommended to execute strong session management and the user need to be logged out while attempting criterion adjustment.

This might enable an enemy to craft a destructive URL by changing the URL stored in the criterion to that of a malicious website.


The parameters within the application can be altered to bring information that is not enabled or is unapproved.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.



Rigorous transportation security not implemented.

when internal pages of the application can be accessed without authentication by forceful searching. All the internal pages could be accessed straight.

Hence the application will be susceptible to a phishing attack. An assailant can scam users into surrendering private info that will be utilized for identity theft.