Web server attacks

Vulnerability of web services

The first network attacks exploited vulnerabilities related to the implementation of TCP/IP protocol suites. With the gradual correction of these vulnerabilities, attacks have shifted to application layers and particularly the web, given that most companies open their firewall systems to web traffic.

The HTTP (or HTTPS) protocol is the standard that makes it possible to transfer web pages via a request and response system. Mainly used to transfer static web pages, the web has quickly become an interactive tool making it possible to provide on-line services. The term "web application" refers to any application whose interface can be accessed on the web from a simple browser. Now the basis for a certain number of technologies (SOAP, Javascript, XML-RPC, etc.), the HTTP protocol plays an undeniable strategic role in information system security.

In that web servers are becoming more and more secure, attacks are gradually shifting toward the exploitation of web application flaws.

As such, the security of web services should be taken into account when they are designed and developed.

Types of vulnerabilties

Web application vulnerabilities

Web application vulnerabilities can be categorized as follows:

  • Web server vulnerabilities. This type of case is becoming increasingly rare, since major web server developers have heightened their security over the years;
  • Manipulation of URLs, which involves manually modifying URL parameters in order to modify the behavior expected from the web server;
  • Exploitation of weaknesses in session identifiers and authentication systems;
  • HTML Code Injection and Cross-Site Scripting;
  • SQL Injection.

The necessary verification of input data

The HTTP protocol is by nature used to manage requests, that is, to receive input data and send return data. Data may be sent in a variety of ways:

  • The the web page's URL
  • In HTTP headers
  • In the body of the request (POST request)
  • Via a cookie

The basic idea to generally keep in mind during the development process is that you should never trust data sent by the client.

Almost all web service vulnerabilities are linked to negligence on the part of designers, who have not checked the format of data entered by users.

Impact of web attacks

Attacks on web applications are always harmful since they give the company a bad image. A successful attack can have any of the following consequences:

  • Website defacement;
  • Stolen information;
  • Modification of data, and particularly modification of users' personal data;
  • Web server intrusion.
Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM.net. CCM reaches more than 50 million unique visitors per month and is available in 11 languages.
This document, titled « Web server attacks », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (ccm.net).

Subscribe To Our Newsletter!

The Best of CCM in Your Inbox

Subscribe To Our Newsletter!