Web Application Firewalls (WAF) are one of the first lines of defense when it comes to preventing web application attacks. A WAF protects web applications and websites by filtering, monitoring, and analyzing Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) traffic between the web applications and the internet.

 

The threat landscape targeting web applications is as diverse as it is sophisticated, so here are seven of the most common web application attacks based on data from Radware’s cloud security services and threat intelligence team.

 

1. Injection attack

 

Injection flaws, such as SQL, NoSQL, OS, and Lightweight Directory Access Protocol (LDAP) injection, have been a perennial favorite among hackers for some time. An injection flaw occurs when suspicious data is inserted into an application as a command or query. This hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

 

The most common code injection is SQL injection, which is an attack in which malformed code is sent to the database server. It is a simple and quick attack type, which can be initiated by anyone with internet access because SQL injection scripts are available for download and are easily acquirable.

 

2. Predictable Resource Location Attacks

 

Predictable resource location is an attack technique used to uncover hidden website content and functionality. By making educated guesses via brute forcing, an attacker guesses file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming conventions and reside in standard locations. These can include temporary files, backup files, logs, administrative site sections, configuration files, demo applications, and sample files. These files may disclose sensitive information about the website, web application internals, database information, passwords, machine names, file paths to other sensitive areas, etc.

 

This will not only assist the attacker in identifying the site surface, leading to additional site vulnerabilities, but also may disclose valuable information about the environment or its users. Predictable resource location is also known as forced browsing, forceful browsing, file enumeration, and directory enumeration.

 

3. DDoS HTTP (Flood)

 

HTTP Flood is a type of distributed Denial-of-Service attack method that is used hackers to attack web servers and applications. HTTP Floods work by directing large amounts of HTTP requests at a webpage to overload target servers with requests.

 

In an HTTP Flood, the HTTP clients, such as web browsers, interact with an application or server to send HTTP requests. The request can be either “GET” or “POST.” The aim of the attack is to compel the server to allocate as many resources as possible to serving the attack, thus denying legitimate users access to the server's resources. Such requests are often sent en masse by means of a botnet, thus increasing the attack's overall power.

 

These DDoS attacks might be one of the most advanced non-vulnerability threats being faced by web servers today. It is very hard for network security devices to distinguish between the legitimate HTTP traffic and malicious HTTP traffic, and if not handled correctly, it could cause a high number of false-positive detections. Ratebased detection engines are also not successful at detecting these types of attacks as the traffic volume of HTTP Floods may be under detection thresholds. Therefore it is necessary to use several parameters detection, including rate-based and rateinvariant.

 

The vast majority of internet traffic nowadays is encrypted. Most HTTP Flood attacks are HTTPS Floods. The encrypted floods are more potent because of the high amount of server resources required to handle them, they also add a layer of complexity to mitigating such attacks since DDoS defenses usually cannot inspect the contents of the HTTPS requests without fully decrypting all traffic.

 

4. HTTP Request Smuggling

 

HTTP Request Smuggling, also known as HTTP Desync Attacks, is an attack technique that interferes with the way a website processes sequences of HTTP requests which are received from one or more users. It allows the attacker to "smuggle" a request to a web server without the devices between the attacker and the web server being aware of it. HTTP request smuggling vulnerabilities are often critical in nature and allow an attacker to bypass security controls, interfere with other user sessions, gain unauthorized access to sensitive data and directly compromise other application users.

 

5. File Path Traversal / Directory Traversal

 

A file path traversal attack (also known as directory traversal) is a web security vulnerability that allows an attacker to access files and directories which are stored outside the web root folder. These files might include application code and data, credentials for backend systems and sensitive operating system files.

 

Attackers achieve a file path traversal attack by tricking either the web server, or the web application running on the server into returning files that exist outside of the web root folder.

 

6. Server-Side Request Forgery (SSRF)

 

Server-Side Request Forgery (SSRF) is when an attacker exploits a web security vulnerability to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In such an attack, the threat actor can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL, which the code running on the server will read or submit data to and enable the attacker to read server configuration such as AWS metadata, connect to internal services like HTTP-enabled databases or perform post requests towards internal services which are not intended to be exposed.

 

A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution. In some cases, an SSRF exploitation that causes connections to external third-party systems might result in malicious onward attacks that would be perceived as originating from the organization hosting the vulnerable application.

 

7. Clickjacking

 

Clickjacking is a type of attack that happens on the client side, and it’s purpose is to trick the application users to click something different than what they perceive. Hackers execute this type of attack by hiding malware or malicious code in a legitimate-looking
control on a website, mainly in JavaScript of the third-party services that often are not monitored by the application standard security tools, thus exploiting vulnerabilities in the application supply chain.

It is a malicious technique used by an attacker to record the infected user’s clicks on the internet. This can be used to direct traffic to a specific site or to make a user like or accept a Facebook application. More nefarious purposes might include collecting sensitive information saved on a browser, such as passwords, or to installing malicious content.

 

>> How does WAF work to protect against these attacks?

 

WAFs leverage various capabilities and mechanisms to protect application from this diverse array of attacks. This can include dynamic security policies with automatic false-positive correction, application-layer seven DDoS protection, API discovery and protection, bot mitigation, and so on.

 

The majority of WAFs leverage a negative security model which defines what is disallowed while implicitly allowing everything else. Since attack signatures may generate false positives by detecting legitimate traffic as attack traffic, such rules tend to be simplistic, attempting to detect obvious attacks. The result is protection against the lowest common denominator.

 

A positive security model, which defines the set of allowed types and values, is required to provide comprehensive protection where signature-based protection cannot fill the gap. In the case of a SQL injection, a positive security model screens user input for known patterns of attacks and leverages logic to tell the difference between legitimate user input and injection flaws. A positive security model is also critical to successfully mitigating the risks associated with SSRF. 

 

 

 

6 features of WAF and WAAP solution help organizations/enterprises against Web application attacks:

 

• Complete API detection and protection provides visibility, enforcement, and mitigation of all forms of API modification and abuse for both on-premise and cloud environments.
• Built-in DDoS HTTP protection to prevent application layer DDoS attacks.
• Integrated bot management to detect and mitigate sophisticated 3rd and 4th generation bots that are capable of simulating human behavior.
• Data leak prevention mechanism to automatically hide sensitive user information, such as Personally Identifiable Information (PII).
• Combines negative and positive security models using advanced behavioral analysis technologies to detect malicious threats.
• Policy tuning tools can continuously optimize security policy and adapt to changes in applications, traffic, and threats.

 

VNCS - The official distributor of Radware security solutions. Contact us for expert advice on Web application firewalls and other security solutions!

 

Source: Radware

 

See more: 6 BUSINESS BENEFITS THAT CANNOT IGNORE WHEN USING RADWARE's DEFENSEPRO DDOS Attack Prevention Solution and ALTEON INTEGRATED WAF WEB APPLICATION