Web Application Attacks – Types, Impact & Mitigation – Part-4

https://gbhackers.com/web-application-attacks-part4/

With this post, we list some of the typical web application attacks, impacts, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

Click-jacking

Clickjacking is an attack that tricks a user into clicking a website component that is undetectable or disguised as another element. Clickjacking is an attack where the aggressor techniques the user into clicking one link that routes to another page.

Mitigation

Impact

Click-jacking
Strict transport security not implemented
Failure to restrict URL access
Criterion Manipulation
URL Redirection

clickjacking includes mirroring a login and password form on a site. An assailant may likewise select to reroute the clicks to download malware or gain access to vital systems

The header offers the site owner with control over using iframes or objects so that inclusion of a web page within a frame can be restricted with the deny directive:

URL Redirection.

Criterion Manipulation.

Failure to restrict URL access.

This might allow an attacker to craft a malicious URL by altering the URL kept in the criterion to that of a destructive site.

Mitigation.

An enemy can impersonate other users and access/perform unauthorized activities.

X-Frame-Options: sameorigin.

Stringent transport security not implemented.

when internal pages of the application can be accessed without authentication by strong searching. All the internal pages might be accessed straight.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

An attacker can access and steal sensitive info with no authentication.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.

Effect.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

It is suggested not to serve internal pages without proper authentication and authorization checks. It is likewise advised to configure strong session management. http://cwe.mitre.org/data/definitions/285.html.

Enable HTTP Strict Transport Security (HSTS) by including a reaction header with the name Strict-Transport-Security and the value max-age= expireTime, where expireTime is the time in seconds that web browsers ought to keep in mind that the website should just be accessed using HTTPS.

Impact.

when an application stores an URL in a criterion while permitting the user to browse in between pages.

Strict-Transport-Security: max-age= 31536000; includeSubDomains.

The parameters within the application can be become fetch data that is not enabled or is unauthorized.

Mitigation.

Therefore the application will be susceptible to a phishing attack. An assailant can rip-off users into surrendering private info that will be used for identity theft.

The application ought to allow redirection only to white list of URLs.

It is recommended to execute server-side mapping of a user to ease of access. The functions are applicable to various benefit levels ought to accessible strictly to those level users just.

when the application stops working to prevent users from linking to it over unencrypted connections. HTTP stringent transportation security HTTS is a security policy implemented in web servers which are to engage with it utilizing just safe and secure (HTTPS) connections.

X-Frame-Options: reject

Any other user should not be granted access to it. It is likewise advised to implement strong session management and the user should be logged out while trying parameter manipulation.

Mitigation.

Material Security Policy (CSP) is a detection and prevention system that supplies mitigation against clickjacking.

Additionally, framing can be restricted to the very same origin as the site using the sameorigin instruction.

Read.

Mitigation.

Effect.

Impact.

To exploit this vulnerability, an attacker must be appropriately placed to intercept and modify the victims network traffic. an aggressor can control pages in the unsecured area of the application or modification redirection targets in a way that the switch to the secured page is not performed or performed in a manner, that the opponent stays between client and server.