Web Application Attacks – Types, Impact & Mitigation – Part-4


With this article, we list a few of the common web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

Clickjacking is an attack that tricks a user into clicking a web page aspect that is unnoticeable or disguised as another component. Clickjacking is an attack where the opponent tricks the user into clicking one link that routes to another page.


clickjacking includes mirroring a login and password type on a site. An aggressor may likewise pick to redirect the clicks to download malware or gain access to important systems

Rigorous transportation security not implemented
Failure to restrict URL gain access to
Parameter Manipulation
URL Redirection



The header supplies the website owner with control over making use of iframes or things so that inclusion of a web page within a frame can be restricted with the deny directive:

X-Frame-Options: deny

when the application fails to prevent users from connecting to it over unencrypted connections. HTTP rigorous transport security HTTS is a security policy carried out in web servers which are to connect with it using only protected (HTTPS) connections.

Additionally, framing can be limited to the same origin as the site using the sameorigin instruction.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

Specification Manipulation.




Failure to limit URL access.

Likewise Read.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

Any other user should not be approved access to it. It is also suggested to implement strong session management and the user ought to be logged out while attempting criterion adjustment.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.

when an application stores an URL in a specification while enabling the user to browse in between pages.


It is recommended to implement server-side mapping of a user to ease of access. The functions apply to different advantage levels need to accessible strictly to those level users only.

To exploit this vulnerability, an attacker needs to be appropriately placed to obstruct and modify the victims network traffic. an aggressor can manipulate pages in the unsecured location of the application or change redirection targets in a way that the switch to the secured page is not performed or carried out in a way, that the opponent remains in between customer and server.

X-Frame-Options: sameorigin.


Strict-Transport-Security: max-age= 31536000; includeSubDomains.



The application must allow redirection just to white list of URLs.

An attacker can impersonate other users and access/perform unapproved activities.

Hence the application will be vulnerable to a phishing attack. An aggressor can scam users into surrendering personal info that will be used for identity theft.

when internal pages of the application can be accessed without authentication by strong browsing. All the internal pages might be accessed directly.

The criteria within the application can be become fetch information that is not enabled or is unapproved.

URL Redirection.

Rigorous transport security not enforced.

Material Security Policy (CSP) is a detection and avoidance mechanism that offers mitigation against clickjacking.

It is advised not to serve internal pages without proper authentication and permission checks. It is likewise advised to set up strong session management. http://cwe.mitre.org/data/definitions/285.html.

This might allow an aggressor to craft a malicious URL by changing the URL kept in the parameter to that of a harmful website.

An attacker can access and take sensitive info with no authentication.


Enable HTTP Strict Transport Security (HSTS) by adding a reaction header with the name Strict-Transport-Security and the worth max-age= expireTime, where expireTime is the time in seconds that internet browsers must bear in mind that the site needs to just be accessed utilizing HTTPS.