According to the Verizon 2023 Data Breach Investigations Report, Basic Web Application Attacks accounted for nearly one-fourth of the entire breach data set. Although not the most sophisticated threats in the bunch, common web attacks like credential stuffing and SQL injection attacks continue to wreak havoc on the cybersecurity landscape, just like phishing and emerging AI-based attacks, and for good reason.
The DBIR reports that weak passwords largely play into the success of these low-level attacks, and a study by Keeper indicates that three out of four people still don't use safe password practices. Whatever the reason, these 10 types of web attacks keep rearing their ugly heads and breaching our networks despite many of our sophisticated next-generation tools. While it's good to keep pace with emerging threats today, a well-rounded security posture demands both high and low-level security tools; after all, simple problems often require simple solutions.
The 10 Most Common Web Attacks
1. Cross-Site Scripting
Cross-site scripting (XSS) attacks trick a browser into delivering malicious client-side scripts to the victim's browser, which will automatically execute it once received. This malware can:
- Exfiltrate data
- Install malware
- Redirect the user to a spoofed site
Preventing XSS attacks is as easy as sanitizing your data inputs. Consider denying special characters or symbols to avoid the injection of code. Unchecked, cross-site scripting attacks can lead to session hijacking, form action hijacking, and server-side request forgery attacks.
2. SQL Injection Attacks
SQL injection attacks are one of the most common web attacks of the past ten years and allow attackers to compromise a server's cookies, web forms, or HTTP posts to manipulate data out of the database. They exploit input fields (like those you'd see in an online form) and inject malicious scripts designed to trick the server into providing unauthorized (and yet not protected) sensitive database information.
Preventing SQL injection attacks requires the same stringency for data input and a limited set of functions permissible through SQL commands.
3. Broken Authentication
The Verizon 2022 DBIR states that 67% of data breaches result from compromised credentials. Broken authentication – or any sort of illegitimate login–based access – can be executed in many ways:
- Brute force
- Credential stuffing
- Dictionary attacks
- And more
Preventing broken authentication attacks can be as easy as making a super-secure password or as reliable as switching to tokenized Multi-Factor Authentication (MFA).
4. Drive-By Download
Drive-by downloads occur when a user visits a website and a malicious agent downloads onto the victim's computer automatically. It can happen when the user is downloading something else or upon opening an email, clicking a pop-up window, or merely visiting a page.
Since drive-by attacks take advantage of latent security vulnerabilities in apps, browsers, and operating systems, it's important to keep your environment up to date. Limiting the number of web plug-ins and applications you install also reduces your attack surface.
5. Password-Based Attacks
While these can be part of a 'broken authentication' exploit, they really deserve their own real estate. The list of password-based attacks is varied and wide, including:
- Credential dumping (stealing your RAM to get to your secrets)
- Brute force (systematically guessing the correct password)
- Credential stuffing (using known credentials to log into a series of other accounts)
- Pass the Hash (PtH) techniques (stealing a hashed credential and using it to create a new authenticated session)
Implementing code signing, enforcing strong password requirements, setting up MFA, and operating on the principle of least privilege will reduce the chance of password-based attacks.
6. Fuzzing
Fuzz testing is a type of web attack that works by initially inputting a large amount of random data (fuzz) into an application to get it to crash. The next step is using a fuzzer software tool to identify the weak spots. If there are any loopholes in the target's security, the attacker can further exploit it.
The best way to combat a fuzzing attack is by keeping your security and other applications updated. This is especially true for any security patches that come out with an update that the perpetrators can exploit if you haven't made the update yet.
7. Using Components with Known Vulnerabilities
Today's software is often a composite of many separate parts and rests at the end of a long software supply chain. Hence, a vulnerability or exploit hidden in a downstream dependency or left over from an Open-Source code repository could lead to compromise in the final site.
Many companies are vetting their third-party suppliers for security compliance prior to partnering to avoid this scenario and leaning on code signing, quality control policies, and internal threat detection to prevent (or protect against) vulnerable dependencies that slip through.
8. DDoS (Distributed Denial-of-Service)
DDoS attacks aim to overwhelm the target's web server with requests, making the site unavailable for other visitors. A botnet usually creates a vast number of requests, which are distributed among previously infected computers. Also, these types of web attacks are often used together with other methods; the goal of the former is to distract the security systems while exploiting a vulnerability.
Protecting your site against a DDoS attack is generally multi-faceted:
- First, you need to mitigate the peaked traffic by using a Content Delivery Network (CDN), a load balancer, and scalable resources.
- Secondly, you also need to deploy a Web Application Firewall (WAF) in case the DDoS attack is concealing another cyberattack method, such as an injection or XSS.
9. MiTM (Man-in-the-Middle)
Man-in-the-middle attacks are common among sites that haven't encrypted their data as it travels from the user to the servers (sites using HTTP instead of HTTPS). The perpetrator intercepts the data as it's being transferred between two parties. If the data isn't encrypted, the attacker can easily read personal, login, or other sensitive details that travel between two locations on the Internet.
A straightforward way to mitigate the man-in-the-middle attack is to install a Secure Sockets Layer (SSL) certificate on your site. This certificate encrypts all the information between parties, so the attacker won't easily make sense of it. Typically, most modern hosting providers already feature an SSL certificate with their hosting package.
10. Directory Traversal
Directory (or Path) Traversal attacks target the web root folder to access unauthorized files or directories outside the targeted folder. The attacker tries to inject movement patterns within the server directory to move up in the hierarchy.
A successful path traversal can compromise:
- Access to the site
- Configuration files
- Databases
- Other websites and files on the same physical server.
Protecting your site against a path traversal attack comes down to your input sanitization. This means keeping the user's inputs safe and unrecoverable from your server. The most straightforward suggestion here is to build your codebase so that any information from a user isn't passing to the filesystem APIs.
How Fortra's Portfolio of Solutions Can Help?
Times are changing, and while web attack specifics might, the principles behind them never will. Threat actors are nefarious, yes, but 82% of cyberattacks could be prevented by reducing the gap of human error.
Alert Logic's WAF
Our Managed Web Application Firewall, an offering by Fortra's Alert Logic, provides the comprehensive features you need to protect your web applications and APIs, including:
- Allowlisting
- Blocklisting
- Signature-based blocking
- Learning engine that compares anomalies to a known-good baseline of traffic
- And more
Alert Logic's hassle-free, enterprise-level WAF gives you a fully managed, cloud-ready solution that allows you to distinguish between good and bad traffic in real-time, helping you make informed in-the-moment decisions when it matters most.
Digital Defense's WAS
Fortra's Digital Defense also offers a web application scanning tool to regularly test your web applications for vulnerabilities. Frontline Web Application Scanning (WAS) provides:
- Prioritized results
- Tracking and trending of vulnerabilities
- Remediation recommendations
Web applications are continually changing and difficult to ensure they remain secure against attacks. Get insight into the state of your organization's web application security with Digital Defense.
Tripwire's Security Configuration Management
Tripwire's Security Configuration Management Solution, which provides a powerful tool for identifying security misconfigurations and indicators of compromise, protects you from all types of web attacks. Tripwire Enterprise provides:
- Deep system visibility
- Automated compliance
- Real-time detection
Reducing the attack surface means hardening both on-premises and cloud environments, and Tripwire's out-of-the-box platforms and policies allow you to look ahead while still defending against today's most common attacks.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.