Web Application Attacks – Types, Impact & Mitigation – Part-4

https://gbhackers.com/web-application-attacks-part4/

With this article, we list a few of the common web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

clickjacking involves mirroring a login and password form on a site. An opponent may likewise pick to reroute the clicks to download malware or gain access to crucial systems

Effect

Clickjacking is an attack that tricks a user into clicking a website aspect that is undetectable or camouflaged as another element. Clickjacking is an attack where the enemy tricks the user into clicking one link that routes to another page.

Click-jacking
Strict transport security not enforced
Failure to limit URL access
Parameter Manipulation
URL Redirection

Mitigation

Click-jacking

The header offers the website owner with control over using iframes or objects so that addition of a web page within a frame can be forbidden with the reject regulation:

Impact.

The criteria within the application can be modified to fetch information that is not enabled or is unauthorized.

X-Frame-Options: sameorigin.

Strict-Transport-Security: max-age= 31536000; includeSubDomains.

Also Read.

Enable HTTP Strict Transport Security (HSTS) by including a response header with the name Strict-Transport-Security and the value max-age= expireTime, where expireTime is the time in seconds that browsers should remember that the website needs to only be accessed using HTTPS.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

Stringent transport security not enforced.

To exploit this vulnerability, an opponent should be appropriately positioned to obstruct and modify the victims network traffic. an enemy can manipulate pages in the unsecured location of the application or modification redirection targets in a manner that the switch to the protected page is not carried out or performed in a way, that the enemy stays in between client and server.

Mitigation.

Effect.

Parameter Manipulation.

Effect.

Mitigation.

URL Redirection.

Hence the application will be vulnerable to a phishing attack. An opponent can scam users into surrendering private details that will be used for identity theft.

Failure to limit URL access.

when internal pages of the application can be accessed without authentication by powerful searching. All the internal pages might be accessed straight.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.

when an application shops an URL in a criterion while allowing the user to navigate in between pages.

Any other user should not be given access to it. It is also recommended to carry out strong session management and the user ought to be logged out while attempting specification control.

The application should enable redirection only to white list of URLs.

X-Frame-Options: deny

Mitigation.

Alternatively, framing can be restricted to the same origin as the site utilizing the sameorigin regulation.

An opponent can access and take sensitive information with no authentication.

It is suggested to carry out server-side mapping of a user to accessibility. The functions are suitable to different advantage levels ought to available strictly to those level users only.

Impact.

Content Security Policy (CSP) is a detection and avoidance mechanism that offers mitigation versus clickjacking.

Mitigation.

It is recommended not to serve internal pages without appropriate authentication and permission checks. It is likewise recommended to set up strong session management. http://cwe.mitre.org/data/definitions/285.html.

This might enable an attacker to craft a harmful URL by altering the URL saved in the parameter to that of a harmful website.

An attacker can impersonate other users and access/perform unapproved activities.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

when the application stops working to avoid users from linking to it over unencrypted connections. HTTP stringent transport security HTTS is a security policy carried out in web servers which are to interact with it using just protected (HTTPS) connections.