- Top 10 Common Application Attacks to Avoid
- No. 10: Un-validated Redirects and Forwards
- No. 9: Using Components With Known Vulnerabilities
- No. 8: Cross-Site Request Forgery
- No.7: Missing Function Level Access Control
- No. 6: Sensitive Data Exposure
- No. 5: Security Misconfiguration
- No. 4: Insecure Direct Object References
- No. 3: Cross-Site Scripting
- No. 2: Broken Authentication and Session Management
- No. 1: Injection
Top 10 Common Application Attacks to Avoid
Based on information from IBM, eWEEK examines, in descending order, which app attacks tend to occur with the most frequency and severity.
No. 10: Un-validated Redirects and Forwards
In this vulnerability, attackers manipulate the URLs of trusted sites and use phishing techniques to redirect visitors to an unwanted and malicious Website.
No. 9: Using Components With Known Vulnerabilities
Deploying this type of attack involves exploiting flaws in unpatched third-party components. Because these vulnerabilities are often publicized, with tools and proofs of concept readily available, attackers can easily take advantage of these weaknesses.
No. 8: Cross-Site Request Forgery
Used in tandem with a social engineering ploy, cross-site request forgery is an application vulnerability that makes it possible for attackers to force users into performing actions unknowingly. Common targets include cloud storage, social media and banking applications.
No.7: Missing Function Level Access Control
When functioning normally, applications verify incoming requests to ensure they have the authentication level necessary to access the requested resource. This is done at the UI level as well as the backend function level. When not working properly, higher-privilege functionality is simply hidden from lower-privilege or unauthenticated users, rather than being enforced through access controls. As a result, attackers can ignore the UI and forge a request that accesses unauthorized functionality.
No. 6: Sensitive Data Exposure
This type of vulnerability results from a lack of data encryption in transport and at rest. When not properly protected, users’ sensitive data housed in the application, such as credit cards, can be easily stolen or modified to conduct credit card fraud, identity theft and other crimes.
No. 5: Security Misconfiguration
The fifth most common application attack is the simple misconfiguration of security within an application. Vulnerabilities in this category allow attackers to take advantage of various server application features intended for testing or debugging environments.
No. 4: Insecure Direct Object References
Insecure direct object references, including path traversal, enable attackers to manipulate file names to download data from the server.
No. 3: Cross-Site Scripting
This vulnerability allows attackers to insert JavaScript into the pages of a trusted site, altering the site’s contents. Through this type of attack, hackers can steal a visitor’s user credentials and share them with an unauthorized server.
No. 2: Broken Authentication and Session Management
One of the more common weaknesses found in insecure code, broken authentication and session management allow attackers to bypass an application’s authentication and session ID methods, such as use of a username and password.
No. 1: Injection
The most common application attack is injection, which allows hackers to use unsanitized user input to modify backend statements or commands that are then executed by an application. This vulnerability presents the most serious risks when exploited effectively, including data loss or corruption, denial of access, stolen data or a complete host system takeover.