Web Application Attacks – Types, Impact & Mitigation – Part-4

https://gbhackers.com/web-application-attacks-part4/

With this post, we note a few of the common web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

Click-jacking

Clickjacking is an attack that techniques a user into clicking a web page aspect that is invisible or camouflaged as another component. Clickjacking is an attack where the enemy tricks the user into clicking one link that routes to another page.

clickjacking involves mirroring a login and password type on a website. An opponent may also choose to reroute the clicks to download malware or gain access to vital systems

Click-jacking
Stringent transport security not implemented
Failure to restrict URL gain access to
Parameter Manipulation
URL Redirection

Impact

Mitigation

The header supplies the site owner with control over the usage of iframes or objects so that addition of a websites within a frame can be forbidden with the deny instruction:

Enable HTTP Strict Transport Security (HSTS) by including a response header with the name Strict-Transport-Security and the value max-age= expireTime, where expireTime is the time in seconds that web browsers need to bear in mind that the website must just be accessed utilizing HTTPS.

Effect.

Material Security Policy (CSP) is a detection and prevention system that supplies mitigation versus clickjacking.

Mitigation.

It is advised not to serve internal pages without correct authentication and permission checks. It is also recommended to set up strong session management. http://cwe.mitre.org/data/definitions/285.html.

Strict-Transport-Security: max-age= 31536000; includeSubDomains.

An enemy can access and steal sensitive info without any authentication.

To exploit this vulnerability, an aggressor needs to be appropriately placed to obstruct and customize the victims network traffic. an enemy can control pages in the unsecured location of the application or change redirection targets in a manner that the switch to the protected page is not performed or carried out in a way, that the opponent stays in between customer and server.

when the application fails to prevent users from linking to it over unencrypted connections. HTTP stringent transportation security HTTS is a security policy implemented in web servers which are to engage with it using only safe and secure (HTTPS) connections.

Specification Manipulation.

X-Frame-Options: deny

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

It is suggested to execute server-side mapping of a user to ease of access. The features are appropriate to various benefit levels need to available strictly to those level users only.

when an application stores an URL in a specification while permitting the user to browse between pages.

Effect.

Strict transportation security not imposed.

Thus the application will be susceptible to a phishing attack. An assaulter can scam users into giving up personal information that will be utilized for identity theft.

Mitigation.

The parameters within the application can be altered to bring information that is not allowed or is unapproved.

This might permit an opponent to craft a harmful URL by altering the URL saved in the parameter to that of a harmful website.

Failure to limit URL access.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.

Framing can be limited to the very same origin as the site using the sameorigin instruction.

Effect.

The application must permit redirection only to white list of URLs.

Likewise Read.

X-Frame-Options: sameorigin.

when internal pages of the application can be accessed without authentication by forceful browsing. All the internal pages might be accessed straight.

Mitigation.

Effect.

Mitigation.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

URL Redirection.

Any other user should not be approved access to it. It is likewise recommended to execute strong session management and the user ought to be logged out while trying specification adjustment.

An assaulter can impersonate other users and access/perform unauthorized activities.