Top 10 Common Application Attacks to Avoid

1 - Top 10 Common Application Attacks to Avoid
2 - No. 10: Un-validated Redirects and Forwards
3 - No. 9: Using Components With Known Vulnerabilities
4 - No. 8: Cross-Site Request Forgery
5 - No.7:  Missing Function Level Access Control
6 - No. 6: Sensitive Data Exposure
7 - No. 5: Security Misconfiguration
8 - No. 4: Insecure Direct Object References
9 - No. 3: Cross-Site Scripting
10 - No. 2: Broken Authentication and Session Management
11 - No. 1: Injection
1 of 11

Top 10 Common Application Attacks to Avoid

Based on information from IBM, eWEEK examines, in descending order, which app attacks tend to occur with the most frequency and severity.

2 of 11

No. 10: Un-validated Redirects and Forwards

In this vulnerability, attackers manipulate the URLs of trusted sites and use phishing techniques to redirect visitors to an unwanted and malicious Website.

3 of 11

No. 9: Using Components With Known Vulnerabilities

Deploying this type of attack involves exploiting flaws in unpatched third-party components. Because these vulnerabilities are often publicized, with tools and proofs of concept readily available, attackers can easily take advantage of these weaknesses.

4 of 11

No. 8: Cross-Site Request Forgery

Used in tandem with a social engineering ploy, cross-site request forgery is an application vulnerability that makes it possible for attackers to force users into performing actions unknowingly. Common targets include cloud storage, social media and banking applications.

5 of 11

No.7:  Missing Function Level Access Control

When functioning normally, applications verify incoming requests to ensure they have the authentication level necessary to access the requested resource. This is done at the UI level as well as the backend function level. When not working properly, higher-privilege functionality is simply hidden from lower-privilege or unauthenticated users, rather than being enforced through access controls. As a result, attackers can ignore the UI and forge a request that accesses unauthorized functionality.

6 of 11

No. 6: Sensitive Data Exposure

This type of vulnerability results from a lack of data encryption in transport and at rest. When not properly protected, users' sensitive data housed in the application, such as credit cards, can be easily stolen or modified to conduct credit card fraud, identity theft and other crimes.

7 of 11

No. 5: Security Misconfiguration

The fifth most common application attack is the simple misconfiguration of security within an application. Vulnerabilities in this category allow attackers to take advantage of various server application features intended for testing or debugging environments.

8 of 11

No. 4: Insecure Direct Object References

Insecure direct object references, including path traversal, enable attackers to manipulate file names to download data from the server.

9 of 11

No. 3: Cross-Site Scripting

This vulnerability allows attackers to insert JavaScript into the pages of a trusted site, altering the site's contents. Through this type of attack, hackers can steal a visitor's user credentials and share them with an unauthorized server.

10 of 11

No. 2: Broken Authentication and Session Management

One of the more common weaknesses found in insecure code, broken authentication and session management allow attackers to bypass an application's authentication and session ID methods, such as use of a username and password.

11 of 11

No. 1: Injection

The most common application attack is injection, which allows hackers to use unsanitized user input to modify backend statements or commands that are then executed by an application. This vulnerability presents the most serious risks when exploited effectively, including data loss or corruption, denial of access, stolen data or a complete host system takeover.

Top White Papers and Webcasts