Web server attacks

October 2016

Vulnerability of web services

The first network attacks exploited vulnerabilities related to the implementation of TCP/IP protocol suites. With the gradual correction of these vulnerabilities, attacks have shifted to application layers and particularly the web, given that most companies open their firewall systems to web traffic.

The HTTP (or HTTPS) protocol is the standard that makes it possible to transfer web pages via a request and response system. Mainly used to transfer static web pages, the web has quickly become an interactive tool making it possible to provide on-line services. The term "web application" refers to any application whose interface can be accessed on the web from a simple browser. Now the basis for a certain number of technologies (SOAP, Javascript, XML-RPC, etc.), the HTTP protocol plays an undeniable strategic role in information system security.

In that web servers are becoming more and more secure, attacks are gradually shifting toward the exploitation of web application flaws.

As such, the security of web services should be taken into account when they are designed and developed.

Types of vulnerabilties

Web application vulnerabilities

Web application vulnerabilities can be categorized as follows:

  • Web server vulnerabilities. This type of case is becoming increasingly rare, since major web server developers have heightened their security over the years;
  • Manipulation of URLs, which involves manually modifying URL parameters in order to modify the behavior expected from the web server;
  • Exploitation of weaknesses in session identifiers and authentication systems;
  • HTML Code Injection and Cross-Site Scripting;
  • SQL Injection.

The necessary verification of input data

The HTTP protocol is by nature used to manage requests, that is, to receive input data and send return data. Data may be sent in a variety of ways:

  • The the web page's URL
  • In HTTP headers
  • In the body of the request (POST request)
  • Via a cookie

The basic idea to generally keep in mind during the development process is that you should never trust data sent by the client.

Almost all web service vulnerabilities are linked to negligence on the part of designers, who have not checked the format of data entered by users.

Impact of web attacks

Attacks on web applications are always harmful since they give the company a bad image. A successful attack can have any of the following consequences:

  • Website defacement;
  • Stolen information;
  • Modification of data, and particularly modification of users' personal data;
  • Web server intrusion.

Related :

Ataques al servidor Web
Ataques al servidor Web
Angriffe auf Web-Server
Angriffe auf Web-Server
Attaques de serveurs web
Attaques de serveurs web
Attacchi di server web
Attacchi di server web
Ataque de servidores web
Ataque de servidores web
This document entitled « Web server attacks » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.