With this post, we note some of the typical web application attacks, effects, and possible mitigation. In part -4 we are covering the following attacks.
Web Application Attacks
Clickjacking is an attack that techniques a user into clicking a web page aspect that is unnoticeable or camouflaged as another aspect. Clickjacking is an attack where the opponent tricks the user into clicking one link that routes to another page.
Stringent transportation security not implemented
Failure to limit URL access
clickjacking includes mirroring a login and password form on a website. An attacker may also select to reroute the clicks to download malware or gain access to important systems
The header supplies the site owner with control over making use of iframes or things so that addition of a web page within a frame can be forbidden with the deny regulation:
when internal pages of the application can be accessed without authentication by strong searching. All the internal pages could be accessed straight.
An aggressor can impersonate other users and access/perform unauthorized activities.
Enable HTTP Strict Transport Security (HSTS) by adding an action header with the name Strict-Transport-Security and the worth max-age= expireTime, where expireTime is the time in seconds that browsers must keep in mind that the website must just be accessed utilizing HTTPS.
It is advised to execute server-side mapping of a user to availability. The features are suitable to different benefit levels should accessible strictly to those level users only.
Alternatively, framing can be limited to the exact same origin as the site using the sameorigin instruction.
Thus the application will be susceptible to a phishing attack. An assaulter can fraud users into surrendering personal details that will be utilized for identity theft.
Failure to limit URL access.
Strict-Transport-Security: max-age= 31536000; includeSubDomains.
This may enable an enemy to craft a destructive URL by altering the URL kept in the criterion to that of a malicious site.
Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation versus clickjacking.
An assaulter can access and steal sensitive info without any authentication.
when the application fails to avoid users from linking to it over unencrypted connections. HTTP stringent transportation security HTTS is a security policy implemented in web servers which are to interact with it utilizing just safe (HTTPS) connections.
It is advised not to serve internal pages without appropriate authentication and authorization checks. It is also suggested to configure strong session management. http://cwe.mitre.org/data/definitions/285.html.
Web Application Attacks– Types, Impact & & Mitigation– Part-1.
The application ought to enable redirection only to white list of URLs.
Web Application Attacks– Types, Impact & & Mitigation– Part-3.
Any other user needs to not be granted access to it. It is also suggested to implement strong session management and the user should be logged out while attempting parameter manipulation.
Web Application Attacks– Types, Impact & & Mitigation– Part-2.
The specifications within the application can be modified to bring information that is not enabled or is unapproved.
To exploit this vulnerability, an aggressor should be appropriately placed to modify the victim and intercepts network traffic. an assailant can control pages in the unsecured location of the application or change redirection targets in a manner that the switch to the secured page is not performed or performed in a way, that the assailant remains between client and server.
Rigorous transportation security not imposed.
when an application shops an URL in a specification while permitting the user to navigate in between pages.