Web Application Attacks – Types, Impact & Mitigation – Part-4


With this post, we list some of the typical web application attacks, impacts, and possible mitigation. In part -4 we are covering the following attacks.

Web Application Attacks

Clickjacking is an attack that techniques a user into clicking a website aspect that is invisible or disguised as another component. Clickjacking is an attack where the attacker techniques the user into clicking one link that routes to another page.

clickjacking includes matching a login and password type on a site. An assailant might likewise select to redirect the clicks to download malware or gain access to essential systems




Rigorous transportation security not imposed
Failure to limit URL gain access to
Parameter Manipulation
URL Redirection

The header supplies the site owner with control over the usage of iframes or items so that inclusion of a websites within a frame can be restricted with the reject instruction:


when internal pages of the application can be accessed without authentication by powerful searching. All the internal pages could be accessed straight.

Enable HTTP Strict Transport Security (HSTS) by including a reaction header with the name Strict-Transport-Security and the value max-age= expireTime, where expireTime is the time in seconds that internet browsers ought to remember that the website needs to only be accessed utilizing HTTPS.

Framing can be limited to the exact same origin as the website utilizing the sameorigin regulation.

Web Application Attacks– Types, Impact & & Mitigation– Part-3.

It is advised not to serve internal pages without appropriate authentication and authorization checks. It is likewise recommended to set up strong session management. http://cwe.mitre.org/data/definitions/285.html.

The specifications within the application can be modified to bring information that is not permitted or is unapproved.

Web Application Attacks– Types, Impact & & Mitigation– Part-2.

To exploit this vulnerability, an assailant needs to be suitably placed to intercept and modify the victims network traffic. an aggressor can control pages in the unsecured area of the application or change redirection targets in a way that the switch to the protected page is not performed or carried out in a way, that the opponent stays between customer and server.

URL Redirection.

Any other user needs to not be approved access to it. It is also advised to carry out strong session management and the user should be logged out while trying parameter control.

Parameter Manipulation.


when an application stores an URL in a criterion while enabling the user to navigate between pages.


Strict-Transport-Security: max-age= 31536000; includeSubDomains.


The application needs to permit redirection just to white list of URLs.

Web Application Attacks– Types, Impact & & Mitigation– Part-1.

when the application fails to prevent users from linking to it over unencrypted connections. HTTP rigorous transport security HTTS is a security policy implemented in web servers which are to communicate with it using only protected (HTTPS) connections.

Therefore the application will be vulnerable to a phishing attack. An aggressor can scam users into giving up personal information that will be used for identity theft.

Failure to limit URL access.

An attacker can access and steal delicate info without any authentication.


Content Security Policy (CSP) is a detection and avoidance system that offers mitigation versus clickjacking.



It is advised to implement server-side mapping of a user to availability. The features are relevant to various benefit levels should accessible strictly to those level users only.

An enemy can impersonate other users and access/perform unapproved activities.

X-Frame-Options: sameorigin.


This may allow an assailant to craft a malicious URL by altering the URL kept in the parameter to that of a harmful website.

X-Frame-Options: reject

Stringent transport security not implemented.