By: Shavi Bansal, Insights2Techinfo, India Email: shavi@insights2techinfo.com
Web attacks encompass malicious activities targeting web applications, web services, and web-based systems, with the aim of compromising their security and integrity. These attacks pose a significant threat to the confidentiality, availability, and integrity of data and can lead to severe consequences for both users and organizations [1]. Various types of web attacks exist, including cross-site scripting (XSS), SQL injection, XML-based attacks, deni-of-service (DoS), and distributed deni-of-service (DDoS) attacks [2] [3] [4]. These attacks exploit vulnerabilities in web applications and services, allowing attackers to gain unauthorized access, manipulate data, disrupt services, and compromise the overall security posture of the targeted systems [5] [6].
Web application firewalls (WAFs) play a crucial role in defending against web attacks by providing a protective barrier between the web application and the internet, thereby filtering and monitoring HTTP traffic to and from a web application [7]. Additionally, the use of state-based XML firewalls has been proposed as a defense mechanism against XML-based attacks, which are a common type of web service attacks [8]. Furthermore, the implementation of security measures such as authentication mechanisms and secure software development life cycle (SDLC) processes is essential for mitigating the risks associated with web attacks [9] [10].
Reports indicate a significant increase in attacks such as SQL injection and cross-site scripting [11]. These attacks not only target the web applications themselves but so exploit vulnerabilities in underlying technologies such as databases and web servers [12]. Moreover, the evolution of technology, including the advent of IoT and the deployment of open banking systems, has introduced new attack surfaces, thereby amplifying the concerns related to web security [13] [14].
In response to the escalating threat landscape, researchers have proposed innovative security strategies, including the use of web application honeypots, threat detection tools, and deception techniques, to proactively identify and mitigate web attacks [15] [16] [17]. Additionally, the adoption of security models such as the Open Web Application Security Project (OWASP) and the STRIDE threats model has been advocated to address the diverse security challenges posed by web attacks [18] [19].
Overview of Different Web Attacks
XSS Attack
XSS, or Cross-Site Scripting, is a prevent web attack in which malicious actors inject harmful code, typically client-side scripts, into web applications from external sources. This type of attack exploits vulnerabilities in web applications, allowing attackers to execute scripts in the victim’s browser, potentially compromising user data, session tokens, or defacing websites. XSS vulnerabilities are a common injection web vulnerability and are consistently ranked as one of the most preventable types of attacks on web applications. The impact of XSS attacks can be significant, leading to unauthorized access, data manipulation, and other security breaches. Mitigating XSS attacks is crucial for improving web server security, and various methods, including penetration testing and reinforcement learning, have been proposed to address and prevent XSS vulnerabilities. Additionally, form methods for web security and the use of security mechanisms such as HttpOnly and Secure cookie flags have been explored to enhance the robustness of web applications against XSS attacks.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows an attacker to induce users to perform actions on a web application without their knowledge or consent. This attack occurs when a malicious website, email, or other means of communication tricks a user’s browser into making an unintended request to a different site where the user is authenticated. The attacker can exploit the user’s active session to perform unauthorized actions, such as changing the user’s email address, transferring funds, or modifying account settings. CSRF attacks are a significant concern in web security, and various defensive techniques have been proposed to mitigate this threat. These include the use of tokens in sessions, such as synchronizer tokens or double-submit cookies, to validate the origin of the request and ensure that it is legitimate. Additionally, the implementation of same-site cookies, which restrict the scope of cookies to the same site that set them, can help prevent CSRF attacks.
Distributed Denial of Service (DDoS)
Distributed Deni of Service (DDoS) attack is a coordinated effort between multiple machines to target one or more systems, overwhelming them with a flood of traffic and rendering them inaccessible to legitimate users. These attacks are a significant threat to the availability and performance of web services and network resources. DDoS attacks can be launched from various sources, including compromised devices, botnets, and other distributed means, making them challenging to mitigate. Researchers have extensively studied DDoS attacks and developed various detection and defense mechanisms to counter these threats. Detection methods often involve analyzing network traffic patterns, identifying anomalies, and leveraging machine learning and deep learning techniques for accurate and timely detection of DDoS attacks. Additionally, defense mechanisms include the use of cloud-based mitigation systems, blockchain-based solutions, and the development of low-cost DDoS attack architectures to levitate the impact of these attacks. Furthermore, the vulnerability of industrial IoT systems to DDoS attacks has been analyzed, highlighting the potential risks to production lines and emphasizing the need for early detection mechanisms to safeguard critical infrastructure. Taxonomies of DDoS mitigation approaches for cloud computing have been proposed to categorize and evaluate the effectiveness of different defense strategies.
SQL Injection (SQLi) Attacks
Explanation of SQLi and How It Exploits Web Application Vulnerabilities
SQL Injection (SQLi) is a web security vulnerability that allows attackers to interfere with the queries that an application makes to its database. It occurs when an application uses unsanitized user input in SQL queries. Attackers exploit this by inserting or “injecting” a malicious SQL query via the input data from the client to the application. A successful SQLi exploit can read, modify, and delete data, and in some cases, execute administrative operations on the database, often leading to unauthorized access to the system.
Various Forms of SQLi Attacks
- Classic SQLi: The most straightforward form of SQLi, where the attacker directly injects a malicious SQL query into an input field that affects the SQL query constructed by the application.
- Blind SQLi: In this variant, the attacker cannot see the database response to the injected query. They deduce information by sending a series of true or false queries and observing the application’s behavior or response time.
- Error-Based SQLi: Here, the attacker relies on error messages from the database to gain information about the structure of the database.
- Union-Based SQLi: This involves using the UNION SQL operator to combine the results of the injected query with the original query, allowing the attacker to retrieve data from other tables.
Case Studies of Significant SQLi Breaches
- 2019: The Marriott International Breach: Attackers exploited SQLi vulnerabilities to access the reservation database, compromising the data of approximately 383 million guests.
- 2012: LinkedIn Breach: SQLi was used to extract nearly 6.5 million user passwords, later leading to a significant data breach impacting millions of users.
Other Common Web Attacks
Overview of Other Prevalent Web Attacks
- Cross-Site Request Forgery (CSRF): This attack tricks a victim into submitting a malicious request. It occurs when a web application trusts a user based on authentication credentials without verifying the intention of the user’s actions.
- Directory Traversal: Also known as path traversal, this attack aims to access files and directories that are stored outside the web root folder. If successful, attackers can access sensitive files on a web server.
- Remote File Inclusion (RFI): In RFI attacks, the attacker manipulates a web application to include a remote file, usually a malicious script. This can lead to data theft, code execution, and website defacement.
- Local File Inclusion (LFI): Similar to RFI, LFI involves the inclusion of files that are already locally present on the server. This attack can lead to information disclosure, remote code execution, and cross-site scripting.
Brief Description and Impact of Each Attack Type
- CSRF: Can result in unauthorized actions being performed on behalf of authenticated users, leading to account compromise or data theft.
- Directory Traversal: Enables attackers to access restricted files, potentially exposing sensitive information or system files.
- RFI: Often leads to the execution of malicious code on a server, compromising server security and functionality.
- LFI: Can allow attackers to read sensitive files, execute code on the server, and escalate their privileges within the system.
Tools and techniques for detecting web attacks
Dau et al. [20] conducted a survey of typic tools and techniques for monitoring and detecting web attacks, providing insights into the practical application of these methods. Kapodistria et al. [21] introduced an advanced web attack detection and prevention tool that efficiently detects and prevents common web attacks based on input validation. Lazzez & Slimani [22] highlighted sever tools used for the forensic investigation of web application security attacks, including Microsoft LogParser, EventLog Anyzer, Pyflag, and others. These tools are instruments in identifying and analyzing security breaches in web applications. Dwivedi et al. [23] presented the SQL Attack Scanner (SQLAS), a tool designed to detect and prevent SQL injection attacks in web applications, addressing a vulnerability in database-driven web applications. Alasri & Sulaiman [24] demonstrated the effectiveness of a middleware tool in detecting and preventing XML-based Deni-of-Service (DoS) and HTTP flooding attacks in web services. The experiment results from the middleware tool showed efficient detection and prevention of attacks such as XDoS and HTTP flooding attacks. Alidoosti et . Ali et al. [25] developed a SQL-injection vulnerability scanning tool for the automatic creation of SQL injection attacks, providing a proactive approach to identifying and addressing SQL injection vulnerabilities. Susanto et al. [26] utilized Nessus, a widely used tool for identifying application vulnerabilities, to discover security holes in software or web pages, emphasizing the importance of vulnerability assessment in web security.
Furthermore, Manish & Megalingam [27] discussed the application of supervised learning classification techniques to detect attacks on web applications, highlighting the use of a proxy called SDriver to detect SQL injection based on signatures present in the proxy. Mabzool & and Lighvan [28] employed web server access logs as input data for intrusion detection, utilizing scanners to identify and detect attacks. Pratama & and Wiradarma [29] utilized penetration testing as a technique to identify vulnerabilities in web applications, emphasizing the importance of proactive security testing.
In addition to specific tools, various techniques and methodologies have been proposed to enhance web application security. Xu et al. [30] developed a state-based XML firewall (S-Wl) to efficiently detect and defend against XML-based attacks, demonstrating the effectiveness of the approach in detecting and preventing XML-based attacks. Cho et al. [31] discussed methods to configure web application firewalls in existing networks, providing insights into optimizing the placement and configuration of web application firewalls for effective security.
Conclusion
In conclusion, web attacks represent a formidable challenge in the rem of cybersecurity, necessitating comprehensive defense mechanisms, proactive security strategies, and continuous research efforts to safeguard web applications and services from malicious exploitation.
References
- M. Jensen, N. Gruschka, & R. Herkenhöner, “A survey of attacks on web services“, Computer Science – Research and Development, vol. 24, no. 4, p. 185-197, 2009.
- A. Alasri and R. Sulaiman, “Protection of xml-based denail-of-service and httpflooding attacks in web services using the middleware tool“, International Journal of Engineering & Technology, vol. 7, no. 4.7, p. 322, 2018.
- A. Gupta and P. Thilagam, “Attacks on web services need to secure xml on web“, Computer Science & Engineering an International Journal, vol. 3, no. 5, p. 1-11, 2013.
- S. Park, Y. Kim, H. Choi, Y. Kyung, & J. Park, “Http ddos flooding attack mitigation in software-defined networking“, Ieice Transactions on Information and Systems, vol. E104.D, no. 9, p. 1496-1499, 2021.
- Gaurav, A., Gupta, B. B., & Panigrahi, P. K. (2023). A comprehensive survey on machine learning approaches for malware detection in IoT-based enterprise information system. Enterprise Information Systems, 17(3), 2023764.
- Gupta, S., & Gupta, B. B. (2018). XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimedia Tools and Applications, 77, 4829-4861.
- M. Surekha, K. Kumar, M. V.S.Prasanth, & P. Sri, “Web application firewall using xss“, International Journal of Engineering & Technology, vol. 7, no. 2.7, p. 941, 2018.
- Gupta, B. B., Gupta, S., Gangwar, S., Kumar, M., & Meena, P. K. (2015). Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense. Journal of Information Privacy and Security, 11(2), 118-136.
- P. Tiwari and A. Srivastava, “A survey on authentication mechanism against sql injection in xml“, International Journal of Computer Applications, vol. 78, no. 7, p. 22-25, 2013.
- Poonia, V., Goyal, M. K., Gupta, B. B., Gupta, A. K., Jha, S., & Das, J. (2021). Drought occurrence in different river basins of India and blockchain technology based framework for disaster management. Journal of Cleaner Production, 312, 127737.
- Gupta, S., & Gupta, B. B. (2016). XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arabian Journal for Science and Engineering, 41, 897-920.
- G. Kaur, “Study of cross-site scripting attacks and their countermeasures“, International Journal of Computer Applications Technology and Research, vol. 3, no. 10, p. 604-609, 2014. https://doi.org/10.7753/ijcatr0310.1001
- P. Malhotra, Y. Singh, P. Anand, D. Bangotra, P. Singh, & W. Hong, “Internet of things: evolution, concerns and security challenges“, Sensors, vol. 21, no. 5, p. 1809, 2021. https://doi.org/10.3390/s21051809
- Ahvanooey, M. T., Zhu, M. X., Li, Q., Mazurczyk, W., Choo, K. K. R., Gupta, B. B., & Conti, M. (2021). Modern authentication schemes in smartphones and IoT devices: An empirical survey. IEEE Internet of Things Journal, 9(10), 7639-7663.
- R. Gupta, V. Viswanatham, & K. Manikandan, “An innovative security strategy using reactive web application honeypot“, International Journal of Innovative Technology and Exploring Engineering, vol. 9, no. 5, p. 2092-2097, 2020.
- B. Mphago and S. Mpoeleng, “Deception in web application honeypots: case of glastopf“, International Journal of Cyber-Security and Digital Forensics, vol. 6, no. 4, p. 179-185, 2017.
- J. Bai, W. Wang, M. Lu, H. Wang, & J. Wang, “Td‐ws: a threat detection tool of websocket and web storage in html5 websites“, Security and Communication Networks, vol. 9, no. 18, p. 5432-5443, 2016.
- A. Sanchez, R. Arbieto, & C. Velásquez, “Security in web applications, definitions, risks and tools”, Research in Computing Science, vol. 78, no. 1, p. 31-42, 2014.
- D. al, “An approach for systematically analyzing and specifying security requirements for the converged web-mobile applications“, International Journal of Computing and Digital Systems, vol. 3, no. 3, p. 207-217, 2014.
- H. Dau, N. Trang, & N. Hung, “A survey of tools and techniques for web attack detection“, Journal of Science and Technology on Information Security, vol. 1, no. 15, p. 109-118, 2022.
- H. Kapodistria, S. Mitropoulos, & C. Douligeris, “An advanced web attack detection and prevention tool“, Information Management & Computer Security, vol. 19, no. 5, p. 280-299, 2011.
- A. Lazzez and T. Slimani, “Forensics investigation of web application security attacks“, International Journal of Computer Network and Information Security, vol. 7, no. 3, p. 10-17, 2015.
- V. Dwivedi, H. Yadav, & A. Jain, “Sqlas: tool to detect and prevent attacks in php web applications“, International Journal of Security Privacy and Trust Management, vol. 4, no. 1, p. 21-30, 2015.
- A. Alasri and R. Sulaiman, “Protection of xml-based denail-of-service and httpflooding attacks in web services using the middleware tool“, International Journal of Engineering & Technology, vol. 7, no. 4.7, p. 322, 2018.
- A. Ali, A. Shakhatreh, M. Abdullah, & J. Alostad, “Sql-injection vulnerability scanning tool for automatic creation of sql-injection attacks“, Procedia Computer Science, vol. 3, p. 453-458, 2011.
- C. Susanto, K. Rizko, & D. Purbohadi, “Security assessment using nessus tool to determine security gaps on the repository web application in educational institutions“, Emerging Information Science and Technology, vol. 1, no. 2, 2020.
- M. Manish and R. Megalingam, “Applying and evaluating supervised learning classification techniques to detect attacks on web applications“, International Journal of Innovative Technology and Exploring Engineering, vol. 8, no. 10, p. 2222-2225, 2019.
- M. Mabzool and M. Lighvan, “Intrusion detection system based on web usage mining“, International Journal of Computer Science Engineering and Applications, vol. 4, no. 1, p. 1-8, 2014.
- I. Pratama and A. Wiradarma, “Open source intelligence testing using the owasp version 4 framework at the information gathering stage (case study: x company)“, International Journal of Computer Network and Information Security, vol. 11, no. 7, p. 8-12, 2019.
- H. Xu, A. Reddyreddy, & D. Fitch, “Defending against xml-based attacks using state-based xml firewall“, Journal of Computers, vol. 6, no. 11, 2011.
- S. Cho, S. Choi, & .. ., “A study on comparison of network location efficiency of web application firewall”, International Journal of Engineering & Technology, vol. 7, no. 3.33, p. 183, 2018. https://doi.org/10.14419/ijet.v7i3.33.21009
Cite As:
Bansal S. (2023) The Anatomy of Web Attacks: Understanding XSS, SQLi, and Other Threats, Insights2Techinfo, pp.1