According to the US Department of Justice, 65% of business have been attacked by a cybercrime/security attack. Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Last year, almost 55% of vulnerabilities disclosed affected web applications. (Source: IBM ISS X-Force 2008 Trend & Risk Report)
Many of the exploits effecting data sensitive material mention "cross-site scripting," "SQL injection," and "buffer overflow."
The purpose of this blog is to provide a overview on the types of web application vulnerabilities.
Traditional Web Application Vulnerabilities:
- Brute Force: trial and error to guess a person's login and password
- Insufficient Authentication: attacker access sensitive data without proper authentication
- Weak Password Validation: attacker illegally gets user's password
Authorization: illegal access to applications
- Credential/Session Prediction: method of hijacking or impersonating a user
- Insufficient Authorization: permits access to sensitive content or functionality that should require more access control restrictions
- Insufficient Session Expiration: permits an attacker to reuse old session credentials or session ID's for authorization
- Session Fixation: attackers force a user's session ID to an explicit value
Client-side Attacks: illegal execution of foreign code
- Content Spoofing: tricks a user that content they are viewing is legitimate and not coming from an outside source
- Cross-site Scripting (XSS): forces a website to echo attacker-supplied executable code, which loads into a user's browser
Command Execution: hijacks control of web application
- Buffer Overflow: attacker alters the flow of an application by overwriting parts of memory
- Format String Attack: alters the flow of an application by using string formatting library features to access other memory space
- LDAP Injection: attackers exploit web sites by constructing LDAP statements from user-supplied input
- OS Commanding: executes OS commands on a website by manipulating application input
- SQL Injection: constructs illegal SQL statements on a website application from user-supplied input
- SSI Injection: sends code into a web application, which is later executed locally by the web server
- XPath Injection: contructs XPath queries from user-supplied input
Information Disclosure: shows sensitive data to attackers
- Directory Indexing: is an automatic directory listing/indexing web server function that shows all files in a requested directory if the normal base file is not present
- Information Leakage: occurs when a website reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system
- Path Traversal: forces access to files, directories and commands that potentially reside outside the web document root directory
- Predictable Resource Location: uncovers hidden website content and functionality
Logical Attacks: interfere with application usage
- Abuse of Functionality: uses a website's own features and functionality to consume, defraud or circumvent access control mechanisms
- Denial of Service (DoS): attacks prevent a website from serving normal user activity
- Insufficient Anti-Automation: a website permits an attacker to automate a process that should only be performed manually
- Insufficient Process Validation: permits an attacker to bypass or circumvent the intended flow of application
The most important thing to remember is that security breaches and attacks in the web application space is the most targeted by cyber-attackers. Though there is a tremendous paradigm shift from on-premise applications to web/cloud-based applications, not all web application providers are created equal. You must protect yourself and your organization by verifying if the web application provider has independent 3rd party security certifications from accredited organizations.
Additional Resources:
www.owasp.org
www.webappsec.org
Data Sources: US Department of Justice, owasp.org, webappsec.org,
Thanks for the article in did the website today are the window of the companies especially e commerce site and the protection of the information and reputation is an important issue.
We used the service of an online website vulnerabilities scan to scan monthly our website
the www.gamasec.com servie give us first an upade kownledge of our security problem especialy on the application layer but also the possibility to add the gamasec security seal on our website in order to show our customer that we are taking the security seriously
So again thanks for the clarification and example in your article and from our side we recommend the use of website vulnerabilities scan as we had a good experience with the one from www.gamasec.com w
Posted by: didier | September 16, 2009 at 04:35 AM
Blogs are so interactive where we get lots of informative on any topics nice job keep it up !!
Posted by: dissertation examples | July 07, 2009 at 03:28 AM