password

Any type of problem which makes a business vulnerable to web application attacks is a serious issue and can have detrimental effects on the running of the business, not to mention its security being jeopardised.

What is a web application?

A web application is an application that is commonly served via the https or http protocol, which is usually serviced from a remote computer acting as a host/server. Web application attacks can jeopardise the running of your site, inhibit its security and performance, and in worst-case scenarios, take the site down completely.

Surprisingly, most business websites out there are actually found to contain numerous vulnerabilities. Because web applications run in the browser, any potential security loophole in the browser can lead to exploiting these vulnerabilities in the web applications and cause damage to the business website.

You may think a web hacker needs a complex system of hacking tools, but this is not the case, it is so simple that it’s scary. A web hacker only needs an Internet connection, a browser and some expertise in the area. In most cases the best line of defence is a strong offence – secure coding. Carelessness and naivety when it comes to developing your web applications can have overwhelming consequences to your online business.

Here are a list of some of the most common types of web applications, and a few tips on what you can do to help keep your business secure from each of these threats.

4 of the most common web application threats include:

  • Cross site scripting (XSS)
  • SQL injection
  • DDoS attacks
  • Cookie poisoning

Cross-Site Scripting (XSS)

XSS (Cross-Site Scripting) is regarded as the most common type of computer security vulnerability, with a huge number of web applications that are online today being vulnerable to this type of malicious script. XSS allows attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls, which could cause serious problems for your users.

TOP PREVENTION TIP: An intelligent Web Application Firewall (WAF) can shield these vulnerabilities, working in conjunction with the behavioural firewall, blocking sophisticated and dangerous attacks.

DDoS Attacks

DDoS stands for a denial-of-service or as it’s more commonly known, a distributed denial-of-service (DDoS). This type of attack is an attempt to make a machine or network resource unavailable to its intended users. It can make your website run unbearably slow, or worst-case scenario, take it offline completely. A number of large corporate and evengovernment websites have been hit by DDoS attacks in the past.

TOP PREVENTION TIP: A reliable and well-reviewed DDoS protection tool is the best defence against DDos Attacks; there are plenty of tools to choose from, I use a tool called Fireblade and am very happy with the results. But, the protection you choose will ultimately depend on your particular requirements.  Here’s a great comparison list from TopTenReviews which should help you pick the solution that’s right for you.

SQL Injection

SQL Injections are one of the most serious type of attack on the internet. These attacks take advantage of web application vulnerabilities to gain control of databases and all of the information contained within them. Any web application which stores data will use one or more databases to hold that information and recall it when necessary. This could be things such as names, e-mail addresses, postal addresses, telephone numbers, credit card details, bank information, and much more – all sorts of information that you wouldn’t want the wrong person getting hold of.

TOP PREVENTION TIP: In order to keep your databases secure you should practice regular auditing and remediation of your application to ensure that any vulnerability are discovered and dealt with as quickly as possible. OWASP prepared a SQL Injection prevention guide which worth a look.

Cookie poisoning/hijacking

Cookie poisoning can be tricky and deceiving. Many web applications use cookies to save user information such as logins, passwords, and account emails.

Cookie poisoning allows the attacker to modify the valid cookie and gain false authorisation to information about another user and go on to steal your information.

TOP PREVENTION TIP: Clearing stored cookies from your browser regularly will ensure that there is nothing for anybody to hijack. Always avoid signing up for sites and or newsletters that you don’t trust or won’t use again. Regular virus and malware scanning is also advised to help you keep your browser free from any malicious scripts which could be hijacking your cookie – MalwareBytes is the software I use to keep my PC clean free malware, I use the free version and it’s always done a remarkable job.

SearchSecurity has several tips on preventing Cookie Positioning you can read here.

As you can see from the above, today’s Internet can be a battleground, especially with web sites and applications growing as rapidly as they are. More businesses than ever are relying on the internet to take information from customers, even banks are starting to favour online banking over high-street banks. How often do you go in to the bank to make a bank transfer? Most people do this type of banking online, through a web application, or on their mobile phone.

By taking the tips and suggestions outlined in this article on-board and utilizing them in your online business, you can seriously reduce the chances that your website and business will be compromised.

Read more: