The main threats to site security

Web application security is one of the most pressing issues in the context of information security. As a rule, most of the websites available on the Internet have various kinds of vulnerabilities and are constantly under attack. The article will discuss the main threats to information security of web applications.

Information Security Threats

The main types of threats to information security web applications:

1. Threats of confidentiality - unauthorized access to data.
2. Integrity threats - unauthorized distortion or destruction of data.
3. Availability threats - restricting or blocking access to data.

The main source of information security threats to web applications are external intruders. An external intruder is a person who is motivated, as a rule, by a commercial interest, who has access to the company's website, does not have knowledge of the information system under investigation, is highly skilled in matters of network security and has extensive experience in implementing network attacks on various types of information systems.
')
In simple words - the main threat to the security of the site is a hacker attack. It may have an end goal, so-called. target attack, or the attack is unsystematic in nature, on the principle - I attack everything, something will break.

In the first case, the attacker can detect the maximum possible number of attack vectors to compose and implement potentially successful hacking scripts, while in the second, the objects are attacked en masse, usually using several surface vulnerabilities.

Types of threats

Security threats are associated with several factors: first of all, these are vulnerabilities of web applications or their components. The second is with the identification verification mechanisms used. Thirdly, security threats relate to attacks on users themselves, client-side attacks. The fourth type of threat is leakage or disclosure of critical information. The fifth type of threat is logical attacks.

Vulnerabilities of web applications, as a rule, lead to code execution on a remote server. All servers use the data transmitted by the user when processing requests. Often this data is used in compiling the commands used to generate dynamic content. If the development does not take into account the security requirements, the attacker gets the opportunity to modify the executable commands. Such vulnerabilities include, for example, SQL-injection.

Attacks that are used by a web application to verify the identity of a user, service, or application, or against methods that the web server uses to determine whether a user, service, or application has the permissions necessary to perform the action. Such attacks include - bruteforce, authorization bypass, unsafe password recovery, predictable session value or its fixation.

During the site visit, a trusting relationship is established between the user and the north, both in technological and psychological aspects. The user expects the site to provide him with legitimate content. In addition, the user does not expect attacks from the site. By exploiting this trust, an attacker can use various methods to attack server clients. Such attacks can be involved both in difficult attack scenarios (watering hole, drive by), and in more familiar ones - client side attacks, for example XSS.

Information disclosure includes both information directly about the web application, its components, platform and components, and leakage of sensitive information from the site, due to its inadequate protection. This implies disclosing information to persons who are denied access to them, or disclosing information as a result of incorrect configuration of a web application or a web server.

Logical attacks are aimed at exploiting the functions of the application or the logic of its operation. The application logic is the expected process of the program when performing certain actions. Examples include password recovery, registration of accounts, auction sales, transactions in e-commerce systems. An application may require the user to correctly perform several sequential actions to accomplish a specific task. An attacker can bypass or use these mechanisms for their own purposes. This type of attack also includes Denial of Service (DoS) attacks.

Types of attacks on web applications

Targeted attacks are attacks that are specifically aimed at one site or their group, united by one attribute (sites of one company, or sites belonging to a certain field of activity, or combined by a number of signs). The danger of such attacks lies precisely in the "custom" character. The attackers of such attacks are usually attackers with high qualifications in the field of web application security.



The purpose of such attacks is usually to obtain confidential information that can be used by unscrupulous competitors or criminals for profit.

Non-targeted attacks are attacks that are actually “good luck,” and casual websites, regardless of popularity, size of business, geography or industry, become its victims. A non-target attack on a site is an attempt to gain unauthorized access to a web resource, in which the attacker does not intend to hack a specific site, but attacks hundreds or thousands of resources selected by some criterion. For example, sites running on a specific version of the content management system. Such attacks hit the “squares”, trying to cover the maximum number of sites at the lowest cost.



If the attack is successful, the attacker tries to take advantage of it: to gain a foothold on the site by downloading a hacker script (backdoor, web shell), add another administrator, implement a malicious code, or obtain the necessary information from the database.

Targeted attacks - are carried out covertly, usually reach their goal. Non-targeted attacks are quite “noisy” and often do not reach their goals, but, nevertheless, can cause many problems to the owner of a web resource.

What does it threaten with?

First of all it is a threat to the performance of the site. In the second, but no less important, is the safety of user data. From these reasons, a logical consequence ensues - financial and reputational losses of the company.

Hackers use your site to attack other resources, as a reference bridgehead, to send spam or conduct DoS attacks. Your site is blocked by search engines and browsers, you lose users.

An attack on a website in a corporate environment may be so-called. entry point to the corporate network of the company.

Attacks on e-commerce systems can be used to commit fraud, kidnapping customer bases, etc.

Also, all of these attacks can be aimed at further “infecting” users of the site, for example, using so-called exploit packs - means of exploiting browser vulnerabilities and their components, including using socio-technical attack vectors.

Nature of attacks

The spread of attacks on web applications is associated with two main factors: negligence of site security and the low entry threshold of potential intruders.

In most cases, the sites do not use special means of detection, monitoring and protection, and there is no responsible personnel and awareness of site security threats. Little attention is paid to the quality of the code and the secure configuration of the web application (and the web server).

The proliferation of web application security utilities and scanners results in a low threshold for potential intruders to enter. And numerous community and "okolokhakerskie" forums contribute to the spread of attack techniques among all comers. It also contributes to a wide and fairly operational publicity about the discovery of new vulnerabilities or technical aspects of attacks.

Threat Prevention

You must not forget about the observance of basic security measures in the development and support of the site: update the CMS and its components; change passwords regularly; refuse to use outdated protocols; configure and use HTTPS / HSTS.



Use Nemesida WAF for timely detection and blocking of various web attacks. This will allow you to be calm about the security of web applications from hacker attacks and their consequences.