Web Application Attacks – Types, Impact & Mitigation – Part-4

https://gbhackers.com/web-application-attacks-part4/

With this post, we note a few of the common web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

Clickjacking is an attack that techniques a user into clicking a website element that is unnoticeable or disguised as another aspect. Clickjacking is an attack where the opponent techniques the user into clicking one link that routes to another page.

clickjacking includes mirroring a login and password kind on a website. An opponent may likewise select to redirect the clicks to download malware or gain access to important systems

Impact

Mitigation

Click-jacking
Stringent transportation security not implemented
Failure to limit URL gain access to
Parameter Manipulation
URL Redirection

Click-jacking

The header provides the website owner with control over using iframes or items so that inclusion of a web page within a frame can be restricted with the deny regulation:

The application ought to enable redirection only to white list of URLs.

It is suggested not to serve internal pages without correct authentication and authorization checks. It is also advised to configure strong session management. http://cwe.mitre.org/data/definitions/285.html.

Therefore the application will be susceptible to a phishing attack. An assailant can fraud users into surrendering private info that will be utilized for identity theft.

when the application stops working to prevent users from connecting to it over unencrypted connections. HTTP rigorous transportation security HTTS is a security policy executed in web servers which are to connect with it utilizing just safe (HTTPS) connections.

when internal pages of the application can be accessed without authentication by powerful browsing. All the internal pages might be accessed directly.

Effect.

Effect.

Strict-Transport-Security: max-age= 31536000; includeSubDomains.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

Mitigation.

X-Frame-Options: deny

when an application stores an URL in a criterion while permitting the user to navigate between pages.

Any other user must not be given access to it. It is also recommended to execute strong session management and the user ought to be logged out while trying parameter manipulation.

Impact.

Read.

Content Security Policy (CSP) is a detection and prevention system that supplies mitigation against clickjacking.

Mitigation.

Rigorous transport security not imposed.

Alternatively, framing can be restricted to the very same origin as the site utilizing the sameorigin directive.

URL Redirection.

The criteria within the application can be changed to fetch information that is not permitted or is unapproved.

Failure to restrict URL access.

X-Frame-Options: sameorigin.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

An attacker can impersonate other users and access/perform unapproved activities.

An aggressor can access and steal sensitive info without any authentication.

Criterion Manipulation.

Effect.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.

This may permit an attacker to craft a harmful URL by changing the URL saved in the criterion to that of a malicious site.

Mitigation.

To exploit this vulnerability, an assaulter must be appropriately placed to modify the victim and intercepts network traffic. an assailant can control pages in the unsecured location of the application or change redirection targets in a manner that the switch to the protected page is not performed or performed in a way, that the aggressor remains between customer and server.

Enable HTTP Strict Transport Security (HSTS) by including a response header with the name Strict-Transport-Security and the worth max-age= expireTime, where expireTime is the time in seconds that browsers must remember that the site needs to just be accessed using HTTPS.

Mitigation.

It is suggested to execute server-side mapping of a user to accessibility. The functions apply to different privilege levels need to available strictly to those level users only.