Web Application Vulnerabilities -Bug Bounty Hunters (Beginners)Must Know
What Are Web Application Vulnerabilities?
Any system weakness that a hacker can use to compromise an online application is known as a web application vulnerability.
Because web programmes need to be able to connect and communicate with diverse users from various networks, web vulnerabilities are distinct from other widespread vulnerabilities like asset flaws or network vulnerabilities.
A web application is an easy target for hackers due to its accessibility. To find security flaws and safeguard your organization, continuous security testing is essential.
Common Types of Web App Vulnerabilities
- SQL Injection
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Session Fixation
6. Security Misconfigurations
7. XML External Entity (XXE) Processing
8. Directory Traversal
1. SQL Injection
Structured Query Language (SQL) is a widely used programming language for managing database communications. Attackers can enter malicious SQL commands to exfiltrate, edit, or delete data using SQL flaws. Some cyber criminals utilize SQL to take control of the target system.
2. Cross-Site Scripting (XSS)
XSS attacks include inserting malicious scripts into websites or web applications, just like SQL injection attacks do. The key distinction is that the malicious code only executes in the browser when a user accesses a hacked website or app. Attackers frequently use XSS assaults by injecting code into input fields so that when users view the target page, the attack runs (e.g., embedded JavaScript link). Refer Below Links for more info,
3. Cross-Site Request Forgery (CSRF)
When an attacker pushes the victim to use the web application in an unauthorised way, this is known as a CSRF assault. The victim first logs onto the web app, which has accepted the user and browser as trustworthy. As a result, the app will carry out harmful actions after the attacker dupes the user into sending a request to the web app. Simple practical jokes to facilitating illegal money transactions are some of the reasons why CSRF is used.
4. Session Fixation
An attack known as a session fixation includes changing a user’s session ID to a predetermined value. Attackers may employ a variety of methods to change session ID values depending on the functionality of the target web application. Cross-site scripting flaws and HTTP request reuse are two examples of session fixation methods.
5. Local File Inclusion (LFI)
An LFI attack takes use of a web application’s dynamic file insertion features. It might happen when a web application delivers user input to a file inclusion command, like a parameter value or URL. This method can be used by an attacker to deceive the app into including a remote file that contains malicious code.
6. Security Misconfigurations
Some of the most critical web application vulnerabilities are caused by security misconfigurations because they make it simple for adversaries to access the application. A wide variety of security configuration flaws could be used by attackers.
Examples :
Ad hoc or incomplete setups, data saved in the cloud, unencrypted error messages containing sensitive information, and incorrect HTTP header configurations are a few examples.
7. XML External Entity (XXE) Processing
An XXE attack happens when a hacker takes advantage of frequently used XML parser functionality to access local or remote files, usually leading to Denial of Service (DoS). SSRF attacks, which compel the web application to send out malicious requests to external servers, can also be carried out by attackers via XXE processing. Additionally, XXE gives attackers the ability to remotely scan ports and run malicious malware.
8. Directory Traversal
Directory traversal attacks, or backtracking, involve exploiting how the web application receives data from a web server. Web apps often use Access Control Lists (ACLs) to restrict user access to specific files within the root directory. A malicious actor can identify the URL format the target application uses for file requests.
Thank you for Reading This content.I hope you got some Knowledge from this post.Grow your Knowledge with medium.
