Web Applications Have Much To Offer, But Carry Significant Risk
A web app can be thought of as the meeting ground between a website and a mobile app. A web app offers functionality that can be similar (although usually slightly simpler) than a mobile app. However, the big selling point is that these apps may be run straight from a web browser. That means no downloads or files to be installed, a shared codebase regardless of whether the user is running iOS or Android, and the ability for developers to launch them rapidly, without having to wait on approval from their respective app stores.
All of these are compelling reasons to embrace web apps. Increasingly, companies like to offer web apps, often as an alternative to whatever mobile apps they might also have created.
But web apps can also be problematic. Cyber attackers frequently target web apps for a variety of reasons. These attacks are increasing at a rapid pace in 2021 as the use of web apps increases. Attacks against organizations’ applications frequently represent the majority of cyberattacks in the modern threat landscape. The results can be disastrous.
This is why application security is so important — and how, without it, web apps can prove a whole lot more trouble than they’re worth.
Different types of attack
There are multiple types of cyberattack that can be waged against web apps. One notable attack is called an SQL injection. This refers to the use of bad SQL back as a way to expose a backend database in order to gain access to unauthorized information. Such attacks are increasingly common — and increasingly nasty.
For example, at the end of 2020, secure file sharing company Accellion discovered multiple vulnerabilities in its File Transfer Appliance that could be exploited using an SQL injection vulnerability. The ensuing attacks affected companies and government agencies in the U.S., Singapore, Australia, and New Zealand. In some cases, attackers were able to steal information, and then threatened to release it unless the victims agreed to pay a ransom.
Another type of web app attack is referred to as a Cross-site Scripting (XSS) attack. In XSS attacks, attackers inject client-side scripts into targeted webpages. These attacks can be used for circumventing access controls to gain entry to accounts, modify the content on pages, activate Trojans, and more. Last year, a security researcher alerted PayPal to the existence of an XSS vulnerability in the currency converted feature found in user wallets. PayPal said that the vulnerability was the result of not properly sanitizing user input. It could have been exploited by attackers to run malicious code in the browser pages of targets without their knowledge.
Still another type of web app attack is known as Remote File Inclusion. These attacks allow attackers to inject files into web application servers, and may be used for data theft or manipulation via the execution of bad code or scripts.
One other web app attack is a Cross-site Request Forgery (CSRF). Such attacks often work by allowing a cyberattacker to place an extra link to a suspicious website on a legitimate authenticated website. This can then be used to make browsers perform unwanted actions, possibly including unrequested fund transfers, altered passwords, and more.
Targeting web apps
There are multiple reasons attackers might target web applications. For starters, the complexity of source code of web apps means a higher likelihood of it containing vulnerabilities that could be exploited by attackers. Many organizations push code considered vulnerable into usage in their applications as a result of time pressure. This, in turn, means that there is low-hanging fruit for attackers when it comes to potentially exploiting these systems to damaging effect.
Related to this is the potential ease of execution and potentially high value rewards. In short, attackers could potentially stage automated attacks against thousands of users in one go — including gathering sensitive personal data — with comparative ease.
The effects of web app attacks can be extremely damaging for both direct victims and their users or customers. Leaked data, for example, can be punished by regulators in scenarios where it is deemed that systems have not adequately protected against breaches. Such breaches can also severely damage customer faith.
Protect against web app attacks
Fortunately, there are ways to protect against these web app attacks. For starters, companies should ensure that they have a full web application security checklist. This list includes steps like manually reviewing applications and identifying possible entry points, testing these applications for possible access control issues, securing data transmissions, and more.
In addition to a robust web app security checklist, there are also useful tools available. One that all companies and organizations should consider is a Web Application Firewalls (WAF). WAFs can examine incoming traffic and block specific attack attempts. A big advantage to a WAF is that they can sit at the edge of the network, and do not require making changes to applications, which may be difficult to secure entirely since they are in a constant state of flux.
Web apps have a lot to offer. But they also bring with them a fair amount of risk. Luckily, by utilizing the right tools, you can gain the advantages of web apps without opening yourself up to some of the potential risks. Doing so is only going to become more important over time. Customers increasingly expect good web apps. They also expect robust security. Make sure that you offer both.