Web Server Attacks

Topics: Denial-of-service attack, Attack, IP address Pages: 5 (1593 words) Published: April 21, 2013
Web Server Attacks
Aaron G. Flaugh
Strayer University
Dr. Patricia White
April 15, 2013

Web services are the most frequently attacked services of the modern network. There are three common attack types. They are all mitigated in different ways, this paper will discuss the means of protecting against them. The most effective attacks are call Denial of Services or DoS attacks. No organization is save from a denial of service attack even the federal government has been successfully attacked. How corporations can reduce the risk of these attacks will also be discussed. Web Application Vulnerabilities

Web services have become one of the most frequently used technologies in business today, therefore it is no surprise, which are among the most frequently targeted applications. There are five common types of attacks for web services: SQL injection, remote file inclusion, local file inclusion, directory traversal and cross site scripting. Those were just the technical type attacks there are also two other business layer attacks, they are email extraction and comment spamming. According to a survey group iMPERVA; cross-site scripting (XSS) accounts for twenty-nine percent of sampled attacks, directory transversal (DT) accounted for twenty-two percent, local file inclusion was fifteen percent of the attacks, SQL injections were fourteen percent of the malicious traffic, business logic attacks accounted for another fourteen percent and finally remote file inclusion only accounted for six percent of the traffic. The business logic attacks were split as follows email extraction was nine percent and comments spamming accounted for five percent of the section. Cross-Site Scripting

In this attack type the attacker attempts to hijack a user session then steal the information that they need to log on to the site. Sometimes they hijacker inserts hostile content or redirect the user to a malicious site to steal information. The final flaw that is used is not properly validating and escaping that content. Directory Traversal

Directory traversal is attacking parts of a web site that are not typically exposed to the public viewers. This an exploit of the security of the web server. It is also possible to use this attack by not properly removing user-supplied file names to the file API’s. SQL Injection

Attacks against the background database server is called SQL injection attacks. Using this type of attack the attacker is able to steal the data contained on the page or site. This attack is most viable when user input is either incorrectly filtered for escaped characters in the SQL statements or the user input is not typed appropriately. Combating Web Server Attacks

There are several things that users can do to protect themselves from web server attacks. First they can patch their operating systems up-to-date. Second, install a personal firewall, anti-virus and anti-malware tools. Use complex usernames and passwords, and change passwords regularly. Finally, turn off client-side scripting such as JavaScript or ActiveX.

On the web server side, there are some suggested fixes. First of all implement SSL connections however, it used to be that 128-bit encryptions was sufficient according to Saumil Shah from Net Square. Now it is not uncommon to utilize 1024-bit RSA encryption on SSL certificates. Second, run a best practices analyzer or threat analyzer and implement security fixes. Another, security method to protect internal resources through the use of reverse proxy servers. The final solution to these web attacks is the human element, verify code written by developers and correct any errors discovered. Denial of Service Attacks

The most feared attacks on a network is denial of service attack or a distributed denial of service attack. In both attacks the objective is very simple as the name implies it is to disrupt the flow of information into a network, generally the objective is not to steal data or release...

References: Geiger, William (2001). SANS Security Essentials GSEC Practical Assignment 1.2f Practively Guarding Against Unknown Web Server Attacks
Murphy, David (26 January, 2013)
O’Keefe, Ed (20 January, 2012). How was the Justice Department Website Attacked? Retrieved from: http://www.washingtonpost.com
Romm, Tony (19 January, 2013)
Shah, Saumil (2002). Top Ten Web Attacks Presentation at BlackHat Asia
Thatcher, Greg
Weiss, Aaron 02 July, 2012). How to Prevent DoS Attacks Retrieved from: http://www.esecurityplanet.com
Cisco Systems (2004)
Citrix Systems Protecting Web Applications from Attack and Misuse
Imperva (2012)
Government of Hong Kong (2008). Web Attacks and Countermeasures
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Web Server and Intranet Website Essay
  • Essay about Web Application Security
  • Essay about Dos Attack & Mitigation
  • Essay about Client Server Script
  • World Wide Web and Composite Solution Essay
  • Web Site Navigation Paper
  • World Wide Web Essay
  • web based for NSTP Essay

Become a StudyMode Member

Sign Up - It's Free