Assessing & Mitigating Vulnerabilities of Web Systems
Web Servers are the programs that are used for hosting websites. Web servers may be deployed on a separate web server hardware or installed on a host as a program. One of the most important aspects of cyber security is the ability to secure web systems.
This section is dedicated to expressing information about Web servers vulnerabilities, Web server attacking techniques and tools and their mitigation methods.
General Web System Threats
Web-based systems contain many components, for example:
- Application code
- Web server software
- Database management systems
- Operating systems
These components may, individually and / or collectively, have security design or implementation defects. Including:
- Failure to block cross-site scripting attacks: As a result of this defect, attackers can create attacks that send malicious content to the user.
- Failure to protect direct objects references: Such web sites may be tricked into accessing and sending data to a user who is not authorized to view or modify it.
- Defective authentication: Authentication is very essential, but many sites fail to do so.
- Failure to block cross-site request forgery attacks: These sites and their users are very vulnerable victims to fake URL attacks. In the previous pages, we have introduced some of these types of attacks to you.
- Defective session management: Web servers create logical “sessions” to keep track of individual users. Many web sites’ session management mechanisms are vulnerable.
Web Application Threats
There are the following threats in this area:
- Cross-Site Request Forgery
- Cookie Poisoning
- Information Leakage
- Insecure Storage
- Directory Traversal
- Parameter/Form Tampering
- DOS Attack
- Log tampering
- SQL Injection
- Network Access Attacks
- Cross-Site (XSS)
- Security Misconfiguration
- Buffer Overflow
- Broken Session Management
- DMZ attack
- Session Hijacking