Web Applications are the most used applications on the Internet for sharing, distributing and accessing information. There are various threats with respect to Web Applications which are as following:
Broken Access – Attackers bypass access control and access information in an un-authorized manner.
Cryptographic failures – Cryptography is used to encrypt data. Improper cryptography implementation and design flaws leads to failure in encryption which allows attackers to get access to information.
Injection – Due to improper inputs validation, attackers can inject data which leads to access of un-authorized data and manipulation of data. Following are types of injection threats:
- SQL Injection – Attacker exploits SQL vulnerability and inject SQL commands to get un-authorized data.
- LDAP Injection – Attacker exploits by injecting LDAP statements through the Web application to the LDAP server and get un-authorized access and information.
- Cross-Site Scripting (XSS) – Attackers identifies vulnerabilities in web application and inject malicious code. When users access the application, the malicious code executes and the attackers can access or manipulate data and do other malicious activities.
- Command Injection – Attackers injects exploits vulnerabilities in the application and inject commands into the host operating system to perform malicious activities.
Insecure Design – Due to insecure design of web application, the attackers can exploit the application and steal data or perform malicious activities in the application.
Security Misconfiguration – Improper Security configuration in the web application allows attackers to exploit them.
Vulnerable and Outdated Components – Web Application may user vulnerable software components or outdated components that would have vulnerabilities that can be exploited by attackers.
Identification and Authentication Failures – Due to improper identification and authentication implementation in web application, attacker can bypass and get un-authorized access to the web application.
Software and Data Integrity Failures – Web Application may use software or sub modules whose integrity are not checked which makes the application vulnerable to attacks.
Security Logging and Monitoring Failures – Due to improper web application and security event monitoring, the attackers and their malicious activities can go un-detected and can’t be prevented
SSRF (Server-Side Request Forgery) – Attackers exploits the vulnerabilities in the web application to access an internal resource from the application which can’t be accessed directly by the attacker.
CSRF (Cross-site Request Forgery) – Also known as One Click Attack or Session Riding is where attacker exploits the trust that the web application has on the client. The attacker tricks the user to click links that will enable to get access privilege access to web application that the user has after which attacker performs malicious activities on the application.