Web application security branches out from Information Security and relates to the security concerns pertaining to web based applications. Its core values and fundamental principles remain the same as application security; however, it requires a different approach.

It is a rather general perception that web application security is about stealing credit cards, hacking a website, spreading viruses, and disrupting a service through distributed denial of service (DDoS) attacks. While it is true that these issues are concerned with web application security, it is not limited to just these issues. Other factors of equal if not higher impact include disgruntled employees looking to cause damage, hacking through shoulder surfing or an employee’s genuine mistake of stumbling across confidential information.

Vulnerabilities can be costly, both in terms of dollars and time spent on fixing them. According to a study by White Hat Security, the time to fix found vulnerabilities can average anywhere between 100 and 245 days.

5 vulnerabilities and how they are used for exploitation

1. Injection

Injection is a text-based attack where the attacker injects a piece of code to exploit the syntax of a targeted interpreter. Such attacks have the tendency to go unnoticed as they may not necessarily show up in testing but they can be discovered fairly easily while examining the code. Injection is highly dangerous as the attacker has the ability to take over the system.

2. Cross Site Scripting (XSS)

Cross-site scripting is another one of the most commonly-used attacking techniques. It is quite similar to injection, except it targets the browser’s interpreter. The hacker exploits flaws in a browser following which user supplied information would be sent to the hacker instead of reaching its original intended destination. XSS flaws in servers are comparatively easier to discover than in clients.

3. Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery is another commonly employed hacking techniques. Due to the nature of this form of attack, more non tech-savvy people become its victim. CSRF tricks users into submitting forms, updating details and/or changing login credentials.

The attacker replicates the form or email to make it appear as a legitimate request. The user is hacked the moment they submit forms or update details using the hacker supplied link. Many companies have subsequently taken an initiative to inform users to carefully read the sender’s complete email address and other details before submitting information.

4. Broken Authentication and Session Management

As the name suggests, the attacker targets the authentication and session management process to gain complete access to the victim’s account. The attacker may find flaws within different areas of authentication and session management, such as stored details, logout, session timeout, security questions and more.

Even more dangerous is the fact that such exploits are generic in kind, so the flaw would be common for a set or group of people who perhaps have the same privileges. The attacker would have all the rights and controls once the attack succeeds.

5. Security Misconfiguration

Easily the most common kind of attack prevalent today as misconfigurations are possible at any level. It could be a web server, application server, frameworks or the custom code level.

The attacker will try to find unpatched flaws and unprotected files in order to gain unauthorized access to the system. Once hacked, the attacker can modify the data. They can also steal data either at once or slowly over the time in order to escape the victim’s attention.


The vulnerabilities listed above are only the most common ones, although perhaps also the most dangerous ones. The important takeaway is that, ultimately, the user is responsible for taking precautionary measures and staying alert –  especially when dealing with sensitive information.


Feature Image Credit – DepositPhotos

Posted by admin

We are the information resource on all things Cloud, Disaster Recovery and Information Security.