It’s no secret that your website and business-critical applications are vulnerable to cyberattacks. When successful, the worst attacks can result in stolen customer data, illegal access to your servers and corporate data, malware and viruses that infect your customers’ devices, or a total server failure that prevents customers from accessing your website. Protecting your customers and your IT systems from malicious attacks is imperative for your business. But there are so many different attack vectors that it’s difficult to know where to start with online security.
The following highlights the most pervasive security threats to your web applications. Defending against these threats is the basis of a robust security strategy.
1. Layer 7 Denial of Service (DoS)/Distributed Denial of Service (DDoS)
A Denial of Service attack can be one of the most devastating types of attack. These are HTTP flood attacks that use valid requests in URL data retrievals to prevent legitimate users from accessing a service. A DDoS attack uses multiple hosts simultaneously to attack the same service and is typically launched using botnets. Successful attacks take down entire systems, such as your web servers.
There are three types of DoS/DDoS attacks:
- Volumetric attacks, which flood the target with high volumes of traffic with the intention of saturating the site’s available bandwidth.
- Protocol attacks, which target the servers or network infrastructure by exploiting various protocols to consume resources on the servers or network devices.
- Application layer attacks, which target vulnerabilities within the operating system or the web server application itself.
2. SQL Injections
An SQL injection is the most common way of attacking a web application. Attackers compromise the application and underlying systems by injecting malicious code into a web entry field. By exploiting a bug on your website, attackers run malicious SQL statements (a.k.a., “malicious payload”) on your database server.
The purpose of this type of attack varies. The worst outcomes include:
- Your data is deleted.
- Your clients are attacked.
- Private information is leaked to hackers.
3. Cross-site Scripting (XSS)
This is another injection-type attack on web applications. In cross-site scripting (XSS), attackers inject client-side scripts (usually malicious code) into the web pages viewed by other users. A corrupted website includes the malicious code in dynamic content generated for other users and delivers it to a user’s browser.
Attackers use XSS to steal session cookies, which allows them to impersonate users. XSS is also used to spread malware, vandalize websites or phish for user credentials. The attacks are insidious because they betray your customers’ trust in your website.
4. Cookie Poisoning
As the name implies, cookie poisoning attacks happen when an unauthorized user modifies ordinary cookies to cause harm. Modifying cookies enables an attacker to find out information about other website users. This is one of the ways identity theft is perpetrated.
5. Cross-Site Request Forgery (CSRF)
These attacks occur when a user is tricked into clicking a link or downloading a file that executes unwanted actions on a user session. Also known as session riding and one-click attacks, CSRF exploits web application authorization that enables authenticated users to send requests without having to authorize their every action.
If your website authenticates a user with a cookie, your site trusts that user. With CSRF, that user could unwittingly send a malicious request to your site and it would be performed because your site trusts that user, resulting in an unwanted, damaging action.
Using CSRF, attackers can hijack a user’s session, gain access to and manipulate a user’s account, and steal client or server data.
Defend yourself with a Web Application Firewall
All these attacks can be prevented with a Web Application Firewall (WAF) that sits in front of your web servers. WAFs protect web applications by intelligently scanning all the HTTP and HTTPS traffic coming into and going out of your system and making real-time decisions about what traffic to block and what traffic is safe to let through. It constantly monitors traffic for threats in headers, body, cookies and URL parameters. If a request seems unusual, the WAF will prevent the traffic from leaving your servers so that users are not exposed to the malicious data.
A WAF protects your business and customers in three main ways:
- IP and geofencing, which blocks certain IP ranges in different countries or allows certain ones to your sites. You can create blacklists, whitelists and shared blacklists, for example.
- DoS/DDoS protection, via limiting the requests per second and bandwidth used by bad hosts.
- Layer 7 application firewalling, which scans every request that comes in to make sure it’s safe to go on to your web servers.
To see an easy-to-use WAF in action, try out the WAF from Snapt that is an integral part of our Application Delivery Controller (ADC). You can try it free today.