Web Application Attacks – Types, Impact & Mitigation – Part-4


With this short article, we list some of the common web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

Strict transportation security not imposed
Failure to limit URL gain access to
Specification Manipulation
URL Redirection

Clickjacking is an attack that techniques a user into clicking a website element that is unnoticeable or camouflaged as another component. Clickjacking is an attack where the assaulter techniques the user into clicking one link that routes to another page.

clickjacking involves matching a login and password form on a site. An assaulter might also choose to reroute the clicks to download malware or gain access to important systems




The header offers the site owner with control over making use of iframes or items so that inclusion of a websites within a frame can be restricted with the reject regulation:

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

Thus the application will be vulnerable to a phishing attack. An enemy can fraud users into surrendering private details that will be used for identity theft.

Stringent transport security not imposed.

Alternatively, framing can be restricted to the exact same origin as the website utilizing the sameorigin directive.

Specification Manipulation.

Any other user ought to not be granted access to it. It is likewise advised to execute strong session management and the user should be logged out while trying specification adjustment.

Failure to limit URL gain access to.

It is recommended not to serve internal pages without proper authentication and authorization checks. It is also recommended to configure strong session management. http://cwe.mitre.org/data/definitions/285.html.

X-Frame-Options: sameorigin.


An aggressor can access and take delicate info with no authentication.

URL Redirection.

An opponent can impersonate other users and access/perform unapproved activities.



when internal pages of the application can be accessed without authentication by powerful browsing. All the internal pages could be accessed directly.

This might allow an aggressor to craft a malicious URL by altering the URL saved in the parameter to that of a malicious site.


Strict-Transport-Security: max-age= 31536000; includeSubDomains.


The specifications within the application can be become bring information that is not permitted or is unapproved.

The application should enable redirection only to white list of URLs.


Content Security Policy (CSP) is a detection and avoidance system that supplies mitigation versus clickjacking.

It is advised to carry out server-side mapping of a user to accessibility. The functions apply to various opportunity levels must available strictly to those level users only.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.


when the application stops working to avoid users from connecting to it over unencrypted connections. HTTP strict transport security HTTS is a security policy executed in web servers which are to communicate with it utilizing just safe and secure (HTTPS) connections.


To exploit this vulnerability, an aggressor needs to be suitably placed to intercept and modify the victims network traffic. an opponent can manipulate pages in the unsecured area of the application or change redirection targets in a way that the switch to the protected page is not carried out or done in a way, that the opponent stays between client and server.

Enable HTTP Strict Transport Security (HSTS) by adding an action header with the name Strict-Transport-Security and the value max-age= expireTime, where expireTime is the time in seconds that web browsers ought to keep in mind that the website ought to just be accessed utilizing HTTPS.

X-Frame-Options: reject

when an application shops an URL in a criterion while allowing the user to browse in between pages.

Check out.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.