Top 10 Common Application Attacks to Avoid

Based on information from IBM, eWEEK examines, in descending order, which app attacks tend to occur with the most frequency and severity.

In this vulnerability, attackers manipulate the URLs of trusted sites and use phishing techniques to redirect visitors to an unwanted and malicious Website.

Deploying this type of attack involves exploiting flaws in unpatched third-party components. Because these vulnerabilities are often publicized, with tools and proofs of concept readily available, attackers can easily take advantage of these weaknesses.

Used in tandem with a social engineering ploy, cross-site request forgery is an application vulnerability that makes it possible for attackers to force users into performing actions unknowingly. Common targets include cloud storage, social media and banking applications.

When functioning normally, applications verify incoming requests to ensure they have the authentication level necessary to access the requested resource. This is done at the UI level as well as the backend function level. When not working properly, higher-privilege functionality is simply hidden from lower-privilege or unauthenticated users, rather than being enforced through access controls. As a result, attackers can ignore the UI and forge a request that accesses unauthorized functionality.

This type of vulnerability results from a lack of data encryption in transport and at rest. When not properly protected, users’ sensitive data housed in the application, such as credit cards, can be easily stolen or modified to conduct credit card fraud, identity theft and other crimes.

The fifth most common application attack is the simple misconfiguration of security within an application. Vulnerabilities in this category allow attackers to take advantage of various server application features intended for testing or debugging environments.

Insecure direct object references, including path traversal, enable attackers to manipulate file names to download data from the server.

This vulnerability allows attackers to insert JavaScript into the pages of a trusted site, altering the site’s contents. Through this type of attack, hackers can steal a visitor’s user credentials and share them with an unauthorized server.

One of the more common weaknesses found in insecure code, broken authentication and session management allow attackers to bypass an application’s authentication and session ID methods, such as use of a username and password.

The most common application attack is injection, which allows hackers to use unsanitized user input to modify backend statements or commands that are then executed by an application. This vulnerability presents the most serious risks when exploited effectively, including data loss or corruption, denial of access, stolen data or a complete host system takeover.