Vulnerability of web services
The first network attacks exploited vulnerabilities related to the implementation of TCP/IP protocol suites. With the gradual correction of these vulnerabilities, attacks have shifted to application layers and particularly the web, given that most companies open their firewall systems to web traffic.
In that web servers are becoming more and more secure, attacks are gradually shifting toward the exploitation of web application flaws.
As such, the security of web services should be taken into account when they are designed and developed.
Types of vulnerabilties
Web application vulnerabilities can be categorized as follows:
- Web server vulnerabilities. This type of case is becoming increasingly rare, since major web server developers have heightened their security over the years;
- Manipulation of URLs, which involves manually modifying URL parameters in order to modify the behavior expected from the web server;
- Exploitation of weaknesses in session identifiers and authentication systems;
- HTML Code Injection and Cross-Site Scripting;
- SQL Injection.
The necessary verification of input data
The HTTP protocol is by nature used to manage requests, that is, to receive input data and send return data. Data may be sent in a variety of ways:
- The the web page's URL
- In HTTP headers
- In the body of the request (POST request)
- Via a cookie
The basic idea to generally keep in mind during the development process is that you should never trust data sent by the client.
Almost all web service vulnerabilities are linked to negligence on the part of designers, who have not checked the format of data entered by users.
Impact of web attacks
Attacks on web applications are always harmful since they give the company a bad image. A successful attack can have any of the following consequences:
- Website defacement;
- Stolen information;
- Modification of data, and particularly modification of users' personal data;
- Web server intrusion.