Web application security is one of the most pressing issues in the context of information security. Typically, most websites available on the Internet have various kinds of vulnerabilities and are constantly attacked. The article will examine the main threats to the information security of web applications.
Threats to Information Security
The main types of threats to information security web applications:
Threats to privacy - unauthorized access to data.
Threats to integrity - unauthorized corruption or destruction of data.
Threats to availability - restricting or blocking access to data.
The main source of threats to the information security of a web application is external intruders. External intruder - a person motivated, as a rule, by a commercial interest, having the ability to access the company’s website, not having knowledge of the information system under study, highly qualified in network security issues and extensive experience in implementing network attacks on various types of information systems.
In simple words, the main threat to site security is a hacker attack. It may have an ultimate goal, be the so-called target attack, or the attack is unsystematic in nature, according to the principle - I attack everything in a row, something will break.
In the first case, the attacker can identify the maximum possible number of attack vectors for the preparation and implementation of potentially successful hacking scenarios, in the second case, objects are attacked in bulk, usually using several surface vulnerabilities.
Types of threats
Security threats are associated with several factors: first of all, these are vulnerabilities of web applications or their components. The second - with the identification mechanisms used. In the third place, security threats relate to attacks on users themselves, client-side attacks. The fourth type of threat is the leak or disclosure of critical information. The fifth type of threat is logical attack.
Web application vulnerabilities tend to lead to code execution on a remote server. All servers use data transmitted by the user when processing requests. Often this data is used in composing the commands used to generate dynamic content. If security requirements are not taken into account during development, an attacker is given the opportunity to modify executable commands. Such vulnerabilities include, for example, SQL-injection data leakage prevention.
Attacks directed at the methods used by the web application to verify the identifier of a user, service, or application, or aimed at methods that are used by the web server to determine whether the user, service, or application has the necessary permissions to complete the action. Such attacks include - bruteforce, authorization bypass, insecure password recovery, predictable value of the session or its fixation.
During a visit to the site, a trust relationship is established between the user and the north, both in technological and psychological aspects. The user expects the site to provide him with legitimate content. In addition, the user does not expect attacks from the site. By exploiting this trust, an attacker can use various methods to conduct attacks on server clients. Such attacks can be used both in complex attack scenarios (watering hole, drive by), and in more familiar - client-side attacks, for example XSS.
Disclosure of information includes information directly about the web application, its components, platform and components, as well as leakage of sensitive information from the site due to its inadequate protection. This implies the disclosure of information to persons whose access to them is prohibited, or the disclosure of information as a result of incorrect configuration of the web application or web server cyber incident response.
Logical attacks are aimed at exploiting the functions of the application or the logic of its functioning. The application logic is the expected process of the program when performing certain actions. Examples include password recovery, account registration, auction trading, transactions in e-commerce systems. An application may require the user to correctly complete several sequential actions to complete a specific task. An attacker can circumvent or use these mechanisms for their own purposes. Denial of service attacks, DoS, also belong to this type of attack.