Web applications are common to practically every company that uses the internet. Even if a company uses the well-known Secure Sockets Layer (SSL) and utilizes sophisticated firewall protection, the very fact that it can’t control what users can input into their web forms, introduces several avenues that a malicious person can use to attack the company’s data. Top web application researcher and practitioner Dafydd Studdard and his colleagues have tested thousands of web applications for security assessments over the years. In the following list, first I list the type of attack and in parentheses, the percentage of companies that are vulnerable to this particular type of attack.
• Cross-site Scripting (91%): This type of web application vulnerability allows a user to falsely act as another user and perform unauthorized actions on behalf of those innocent users.
• Information Leaks (81%): Information leaks occur when in response to a clever attacker’s probing, the web site offers up sensitive information – this is usually due to defective error handling by web sites.
• Broken Access Controls (78%): This refers to weak protection of sensitive data, enabling attackers to steal data and to carry out privileged actions they aren’t supposed to be able to perform.
• Broken Authentication (67%): These refer to defective login procedures, including weal password configuration.
• SQL Injection (36%): This type of attack uses specially crafted inputs, through URLs or web forms, to change the logic of web applications and steal data or launch commands on the database servers.
As this simple summary shows most companies are vulnerable to one or more of these common modes of internet based attacks – and there are many other types of attacks out there as well. A sound web application security assessment and secure web application coding practice implementation are the keys to protecting yourself against these dangerous types of cyber attacks.