Before we talk about what attacks a web application, let’s look at what a web application or widget is. Over the past ten years or so, millions of businesses have turned to the web as a cheap way to connect with prospects, share information, and do business with customers.
In particular, the web gives marketers a way to find out more about the people who visit their sites and start talking to them. One way to do this is to ask website visitors to sign up for newsletters, fill out an application form when they want information about a product, or give information to make their next visit to a certain website more enjoyable.
The web is also a great way for many businesses, big and small, to sell their products. In 2006, US e-commerce spending was $102.1 billion, and there were more than 1 billion Internet users (source: Computer Industry Almanac) (Source: comScore Networks, 2007).
All of this information must be collected, stored, processed, and sent so that it can be used right away or later. Web applications, which come in the form of submitting fields, inquiry and login forms, shopping carts, and content management systems, make this possible.
Because of this, they are essential for businesses to have if they want to make the most of their online presence and build long-lasting, profitable relationships with prospects and customers.
It’s no wonder that web applications have become so popular. But because web applications are so technical and complicated, most people don’t know about them and have a very bad idea of what they do.
Web Applications Defined
From a technical point of view, the web is a highly programmable environment that lets millions of people around the world use a large number of different applications right away. Web applications and flexible web browsers are two important parts of a modern website. Both are free and can be used by anyone.
Web browsers are pieces of software that let people get information from and interact with content on web pages on a website. Websites of the early and mid-1990s were mostly static displays of text and graphics.
Today’s websites, on the other hand, let users pull down personalized, dynamic content based on their preferences and settings. Also, web pages can run client-side scripts that turn the Internet browser into an interface for programs like webmail and interactive mapping software (e.g., Yahoo Mail and Google Maps).
Most importantly, modern websites can collect, process, store, and send sensitive customer data (like personal information, credit card numbers, social security numbers, etc.) so that it can be used right away and in the future.
And this is done with the help of web apps. Modern websites have things like webmail, login pages, support and product request forms, shopping carts, and content management systems that make it easy for businesses to talk to customers and prospects. All of these are examples of common web apps.
Web applications are therefore computer programs that let website visitors add and get information from a database over the Internet using their favorite web browser. The data is then shown to the user in their browser as information is generated dynamically (in a certain format, like HTML with CSS) by the web application through a web server.
For those who are more technically minded, web applications query the content server, which is a database of content, and create web documents on the fly that are sent to the client (people surfing the website).
The web browser is very important because it reads and runs all scripts and other code while showing the pages and content that were asked for. Wikipedia says that the web browser is the universal client for any web application, which is a very good way of putting it.
Another big benefit of building and keeping up web applications is that they work the same way no matter what operating system or browser is used on the client side. Web apps can be used anywhere quickly, for free, and (almost) without having to install anything on the user’s end.
As more and more businesses realize the benefits of doing business on the web, more and more web applications and other related technologies will be used.
Also, since intranets and extranets are being used more and more, web applications have become a big part of any organization’s communication infrastructure, which makes them more complex and technologically savvy. Web applications can be bought off the shelf or made by the company itself.
How Do Web Applications Work?
The three-layer web application model is shown in the figure below. The first layer is usually a web browser or Java servlets the user interface. The second layer is the dynamic content generation technology tool, such as (JSP) or Active Server Pages (ASP). The third layer is the database, which stores content (like news) and customer data (e.g., usernames and passwords, social security numbers, and credit card details).
- What Is Ethical Hacking and How Does It Work?
- Is Ethical Hacking a Good Career Choice and How Does “Ethical Hacking” Help Keep Computers Safe?
- What Are the Types of Ethical Hacking?
In the picture below, you can see how the first request is sent from the user’s browser to the web application server over the Internet. The web application connects to the database servers to update and get information from the database to do what was asked. The information is then sent to the user’s browser by the web application.
Web Application Attack
Let’s look at the different ways that web apps can be attacked. Even though they have benefits, there are some security issues with web apps that come from bad coding. A web application attack is when criminals use serious flaws or holes to get direct and public access to databases to steal sensitive information.
Many of these databases have valuable information in them, like personal information and financial information. This makes them a common target for attacks.
Even though defacing corporate websites is still a common act of vandalism (often done by so-called “script kiddies”), attackers now prefer to get access to the sensitive data on the database server because they can make a lot of money by selling the results of data breaches.
In the above framework, it’s easy to see how a criminal could quickly get to the data on the database with a little creativity and, if they’re lucky, through carelessness or human error that makes the web applications vulnerable.
As already said, websites need databases to give visitors the information they need. If your web applications are not secure, which means that they can be hacked in at least one way, then a web application attack is a serious risk for your entire database of sensitive information.
SQL Injection attacks, which go straight for the databases, are still the most common and dangerous type of vulnerability. Other attackers could use what users type into vulnerable web applications to inject malicious code and trick users into going to phishing sites.
Cross-Site Scripting (XSS attacks) is the name for this kind of attack, which can happen even if the web servers and database engine don’t have any flaws. It is often used along with other types of attacks, like social engineering.
Other common attacks include directory traversal, local file inclusion, and many more. Recent studies show that 75% of cyber attacks happen at the level of the web application.
- Websites and the web apps that go with them must be available 24 hours a day, 7 days a week, so that customers, employees, suppliers, and other stakeholders can get the service they need.
- Web application attacks can’t be stopped by firewalls or SSL because the website has to be open to everyone. All modern database systems, like Microsoft SQL Server, Oracle, and MySQL, can be accessed through certain ports, like port 80 and port 443, and anyone can try to connect directly to the databases, which is a way to get around the security features of the operating system. These ports stay open so that they can talk to legitimate traffic, which makes them a major security risk.
- Web apps often have direct access to back-end data like customer databases, which means they control valuable data and are much harder to protect. Those who don’t have access will have a script that lets them capture and send data.
- If an attacker finds out that this script has flaws, they can easily reroute traffic without the user’s knowledge to another place and steal personal information.
- Most web applications are made-to-order, so they don’t need as much testing as ready-to-use software. Because of this, custom applications are easier to hack.
- So, web applications are a way to get to databases, especially custom applications that aren’t built with security best practices and don’t get regular security checks. In general, you should be able to answer the question, “Which parts of a website that we thought were safe can be attacked by a web application?” and “What kind of data can we feed an app to make it do something it shouldn’t?”