Business Transformation

Web application attacks pose a major threat – it’s time organizations solved that problem

We live in the age of apps, referring to the software applications we use for everything from carrying out work to enjoying entertainment. But while the apps most people are familiar with are mobile apps, such as those downloaded from the iPhone’s iOS App Store, web applications are also increasingly commonplace. And getting more so all the time.

Web applications are computer programs that run in a web browser, rather than having to be downloaded and run as a program in isolation. Like mobile apps, web applications can be used for carrying out a variety of different tasks, although common types of web app include content management systems (CMSs), online forms, shopping carts, web-based word processors and spreadsheets, and more. Although they may be comparatively simple next to downloadable applications, web apps are becoming more popular with both users and developers due to the ease that they offer and functionality they can provide.

Unfortunately, cyber attackers are always on the lookout for new types of technology to exploit in order to harm users. For that reason, web application security is becoming a bigger issue all the time. For many, it’s still not a problem that has been adequately solved.

The threat of web application attacks

A recent illustration regarding the lack of proper web app security was found in the Web Application Security Report, a publication put together by the nonprofit Open Web Application Security Project (OWASP). The report noted that there has been an upswing in both third-party risk and malware attacks on web applications. Despite this, there continue to be some glaring weaknesses. Notably, a third of organizations which employ web applications for carrying out file uploads fail to scan all file uploads as a way of detecting potentially malicious files. Moreover, a majority fail to sanitize uploads of files as a means by which to safeguard against zero day and otherwise unknown malware attacks.

This is despite the fact that 99% of organizations which use web applications for file uploads expressed their concerns regarding secure file transfers, and 82% reported that their concerns had increased over the past year. That likely relates to the growing number of businesses which now utilize web applications for both sharing and transferring workplace documents between users as a result of COVID-induced remote working.

For attackers, the rationale behind targeting a web application is clear. Web apps do not have to be downloaded by users in the same way that other pieces of software do. Therefore, embedding malware or malicious payloads in a web app is a good way (your mileage for “good” may vary) of targeting large numbers of users.

Multiple types of web application attack

There are multiple methods used in web application attacks. One common attack is known as an SQL injection attack, in which a bad actor utilizes malicious SQL code as a way of extracting data from a backend database.

Another, known as a cross-site scripting (XSS) attack, is a form of injection attack in which malicious code is injected into an application so as to steal personal data or impersonate users.

Yet another form of attack is called Remote File Inclusion, in which attackers remotely inject a particular file into the server running a web application to trigger the execution of bad scripts or codes within the app in question.

One other is what is referred to as Cross-site Request Forgery (CSRF), a type of attack that makes a user’s web browser perform unwanted actions within a site the user is logged into. This can be utilized for anything from the theft of data to unrequested transfers of funds. While the methods may vary, however, the outcome is always the same: bad news for the target.

The tools to protect yourself

Fortunately, there are tools that can be used to safeguard against these attacks. One of the most important is what is called a Web Application Firewall (WAF). This powerful defence serves as an invaluable safeguard for web apps. WAFs work by checking out incoming traffic and blocking any attempted cyber attacks. Another form of defense is what’s known as Runtime Application Self-Protection (RASP), a tool that can help identify incoming threats and stop them from manifesting. In addition, organizations would do well to consider other security tools, such as DDoS protection tools and those for ensuring proper API security and access management.

As they become ever more functional and useful, web applications will become increasingly widespread. That means that they will become a bigger target for would-be attackers. For this reason, it is essential that organizations put in place the right tools for keeping themselves — and, just as importantly, their users — safe from attack. This should be a top priority for anyone who provides or relies on web applications. The consequences of failing to do so are too critical to consider doing otherwise.

Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media queries, please contact: info@ceoworld.biz

Anna Papadopoulos
Vice President & Executive Editor. Anna Papadopoulos is the Vice President and Executive Editor of the CEOWORLD magazine. In that role she resumes responsibility for the CEOWORLD magazine newsroom, setting daily news priorities, and directing all of CEOWORLD magazine's news-gathering teams. Previously, Anna was the senior supervising editor of CEOWORLD magazine's International Desk. Follow her on Twitter, Facebook, Instagram, or connect on LinkedIn. Email her at AP@ceoworld.biz