Comprehensive Report on Cyber Security: Web Application Attacks

Verified

Added on 2023/05/29

AI Summary

This report provides an overview of web application attacks and vulnerabilities in the context of cyber security. It details the motives behind these attacks, including information theft, espionage, sabotage, and disruption. The report also differentiates between various types of web application vulnerabilities such as injection, cross-site scripting (XSS), insecure direct object reference, and cross-site request forgery (CSRF). Furthermore, it discusses ten key reasons for attacking web applications, including XSS, injection flaws, malicious file execution, insecure direct object references, CSRF, information leakage, broken authentication, insecure cryptographic storage, insecure communication, and failure in restricting URL access. The report references academic sources to support its analysis of the threats and vulnerabilities associated with web applications.

Running head: CYBER SECURITY
Cyber Security
Name of the Student
Name of the University
Author’s Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
CYBER SECURITY
Table of Contents
Question 1..................................................................................................................................2
Question 2..................................................................................................................................4
References..................................................................................................................................6

2
CYBER SECURITY
Question 1
Summarizing and Demonstration of Motives of Web Application Attacks and
Differentiation between Various Types of Web Application Vulnerabilities
The web is the highly programmable environment, which is responsible for allowing
mass customization via immediate implementation of the larger as well as diversified
application range to the billions of globalized users (Razzaq et al. 2014). The web
applications are the computerized programs that enable the web site visitors for submitting as
well as retrieving confidential data from the database on the Internet with the help of
preferred web browser (Zhou et al. 2014). These data are then presented to the users in their
web browsers as the information gets generated dynamically.
The web application attacks are the targeted attacks that could determine what the
attacker wishes to complete. The attackers have some of the major and specified motives for
getting the idea that how the data should be protected. The most significant motives of the
web application attacks are as follows:
i) Information Theft: The first and the foremost motive of this type of web
application attack is the information theft. When the respective attacker aims in acquiring
relevant information owned by the target or even stored within the network. The information
is in the form of customer’s information, intellectual property and business related
information (Matsuda 2013). These attackers controlled infiltrating the security of the
organizational network via phishing mail that carried malware for exploiting the
vulnerabilities.
ii) Espionage: The most important objective of the attacker is monitoring the several
target activities and then steal relevant information that the targets comprise of. Thus, this is
termed as one of the major motives of the web application attacks for the users.

3
CYBER SECURITY
iii) Sabotage: Another important and significant motive of these types of web
application attacks is to be sabotage the targets (Razzaq et al. 2014). The goal of these
attackers is to destruct, blackmail and defame the targets. With the three distinct motivations,
the attackers are absolutely determined in respect to the other attacks.
iv) Disruption: The fourth subsequent motive for the web application attacks is
disruption. It eventually prevents all other people from accessing the systems and hence
distributing any type of falsified information.
The most significant and important types of web application vulnerabilities are
injection, cross site scripting, cross site request forgery, insecure direct object reference and
many more.
i) Injection: The injections let the attackers in modifying the back end statements of
commands via un-sanitized users’ inputs (Salini and Shenbagam 2015). The various
examples of these attacks are SQL injections and they end up making the application out of
passwords.
ii) Cross Site Scripting: The cross site scripting is the kind of vulnerability, which
allows the attackers to insert the Java script within the pages of the trusted site. The users’
credentials are sent to some of the subsequent servers.
iii) Insecure Direct Object Reference: The insecure direct object reference enables
the attackers in obtaining the data from significant server by the proper manipulation of file
names (Sajjadi and Pour 2013).
iv) Cross Site Request Forgery: The attack is utilized with social engineering. This
attack even enables the attackers in tricking the users into performing various actions without
the knowledge.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
CYBER SECURITY

5
CYBER SECURITY
Question 2
Discussion of 10 reasons for Attacking Web Applications and Web Application
Vulnerability
The web application attacks as well as web application vulnerabilities are some of the
most common and significant reasons that the users face such vulnerable situations (Pop and
Altar 2014). The major 10 reasons for attacking the web applications and vulnerabilities of
web applications are as follows:
i) Cross Site Scripting: The most prevalent web application vulnerability of XSS
eventually happens when the application sends the user’s data to the web browsers without
proper validation and encoding of content. The hackers also execute the malicious scripts
within the browser, defacing web sites, conducting the malware as well as phishing attacks
and inserting the hostile contents. The several attacks could be executed with the help of Java
Script and the hackers could manipulate the page aspects.
ii) Flaws of Injection: The user supplied data could be sent to the interpreters as the
major part of query and command (Burg et al. 2013). The injection flaws enable the attackers
in creating, reading, updating as well as deleting the arbitrary data.
iii) Malicious File Execution: The attackers could perform the execution of remote
code as well as complete compromising of system. All types of web applications are
vulnerable when the files or filenames are accepted.
iv) Insecure Direct Object Reference: In this type of attack, the hackers could
manipulate the direct object references for gaining unauthenticated access to any other object.
This problem happens when the form parameters or URLs contain the references to various
objects like directories, keys, files and database records (Salini and Shenbagam 2015).

6
CYBER SECURITY
v) Cross Site Request Forgery: This particular attack undertakes the control of the
browser as soon as it is logged into any web site and hence malicious requests are sent to the
applications.
vi) Leakage of Information and Improper Handling of Errors: The next reason of
these attacks is leakage of information as well as improper handling of various errors.
Moreover, the privacy is also violated in these types of attacks.
vii) Session management and Broken Authentication: The administrative and user
accounts could be hijacked when the applications eventually fail in protecting the session
tokens as well as credentials from start until end (Matsuda 2013).
viii) Insecure Cryptographic Storages: The eight significant and vital reason for
execution of such web application attacks is the insecure cryptographic storage. Most of the
web developers subsequently fail in encrypting confidential data within storages, even when
cryptography is considered as the main part of web applications.
ix) Insecure Communication: The next important reason for execution of such web
application attacks or vulnerabilities is the insecure communication. It is the failure of
encrypting the network traffics whenever it is required for protecting the sensitive
communications (Sajjadi and Pour 2013). For this purpose, the standards of PCI need
significant encryption of the information of credit cards getting transmitted on the Internet
connection.
x) Failure in Restricting URL Access: The final reason to bring these types of attacks
in web application is in failure in restriction of URL access. Few of the web pages are
supposed to be eventually restricted to the smaller subset of privileged users like
administrators.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
CYBER SECURITY
References
Burg, B., Bailey, R., Ko, A.J. and Ernst, M.D., 2013, October. Interactive record/replay for
web application debugging. In Proceedings of the 26th annual ACM symposium on User
interface software and technology (pp. 473-484). ACM.
Matsuda, T., 2013, December. Feature extraction of web application attacks based on zeta
distributions. In Internet Security (WorldCIS), 2013 World Congress on (pp. 119-122). IEEE.
Pop, D.P. and Altar, A., 2014. Designing an MVC model for rapid web application
development. Procedia Engineering, 69, pp.1172-1179.
Razzaq, A., Anwar, Z., Ahmad, H.F., Latif, K. and Munir, F., 2014. Ontology for attack
detection: An intelligent approach to web application security. computers & security, 45,
pp.124-146.
Razzaq, A., Latif, K., Ahmad, H.F., Hur, A., Anwar, Z. and Bloodsworth, P.C., 2014.
Semantic security against web application attacks. Information Sciences, 254, pp.19-38.
Sajjadi, S.M.S. and Pour, B.T., 2013. Study of SQL Injection Attacks and
Countermeasures. International Journal of Computer and Communication Engineering, 2(5),
p.539.
Salini, P. and Shenbagam, J., 2015. Prediction and classification of web application attacks
using vulnerability ontology. International Journal of Computer Applications, 116(21).
Zhou, W., Jia, W., Wen, S., Xiang, Y. and Zhou, W., 2014. Detection and defense of
application-layer DDoS attacks in backbone web traffic. Future Generation Computer
Systems, 38, pp.36-46.