Web Security threats are any kind of hacking offensives that target computer systems and online networks. The aim is to get hold of sensitive information, destroy data, or steal money. According to studies conducted by Verizon, online-attacks are majorly financially motivated. Other popular reasons include espionage, rivalry, identity thefts, etc.

Cyber-attacks and data breaches have gone up by 67% since 2014, and 11% since 2018. The year 2020 has seen a significant rise in cyber attacks in the first quarter itself. Organizations across the world are now spending billions on attack prevention and damage control.

In this article, we’re going to talk about the most common types of web security threats businesses face these days, and give you tips on how to stay safe from them.

Table of Content:

1. 7 Most Prevalent Types of Web Security Threats
   • MitM Attacks
   • Phishing Attacks
   • SQL Injection
   • Brute Force Attacks
   • Cross-Site Scripting (XSS) Attacks
   • Malware attacks
   • DDoS attacks
2. Last Word

7 Most Prevalent Types of Web Security Threats

1. Man-in-the-middle (MitM) Attack

In a MitM attack, the attackers will place themselves between the user and an application during an interaction and impersonate one of the two. Here a few types of MitM attacks:

1.1 WiFi Eavesdropping

Hackers can set up a Wi-Fi connection similar to that of a business and make it appear legitimate. Once a user connects to the bogus Wi-Fi, the attacker will be able to oversee and monitor the user’s activity online. Login credentials, payment card information, etc can easily be stolen this way. This is why one should always refrain from using public Wi-Fis.

1.2 IP Spoofing

Every website and device on the internet has an IP address. Using IP spoofing, the hacker convinces you that you are communicating with a known and trusted source. Basically, the attacker will send and IP packet of a trusted entity, instead of their own IP packet to a target entity.

Apart from these, DNS spoofing, SSL hijacking, HTTP spoofing are also MitM attacks.

Prevention tips:

• Safeguard your communications online through strong encryption and digital certificates.
• Setup strong router login credentials and change them regularly
• Only use HTTPS for your website ie., procure an SSL certificate
• Public key-based authentication, like RSA, should be used to ensure that you are communicating with the right entity

2. Phishing Attacks

Through a phishing attack, hackers send fraudulent communication to victims, making it appear to come from a legitimate source. The attack usually occurs through email or text messages. The aim is to steal sensitive information like credit/debit card details and login credentials or install malware on the victim’s device.

For example, the hacker will pose as a trusted entity that the victim often interacts with (such as a bank or company), and send a message or an email asking him/her to click on a link or download attachments. The link will take the user to a phony website where he/she will be asked to enter login credentials, and the attachment will typically contain some sort of malware that will infect the victim’s device.

Phishing attacks can be of various types:

• Spear Phishing
• Deceptive phishing
• Pharming
• Whaling
• Evil Twin Phishing
• Clone Phishing

Prevention tip:

There is no technology that can stop phishing attempts from hitting your inbox, but you can take steps so as to not fall prey to these schemes:

• Hover over the link to see where it is taking you. If the link appears to be fishy, then don’t click on it.
• Don’t panic and impulsively click on links. If the message you’ve received is completely unexpected or contains alarming information, then call the source to confirm before taking any action.
• Analyze email headers. Check the email address, reply-to, and return-path carefully.

Read now: Types of Phishing Attacks and Important Prevention Tips

3. SQL Injection

SQL injection is a web security threat through which a hacker interferes with the SQL queries that an application sends to its database. SQL statements control the database server behind a web application. Hackers find vulnerabilities in these statements and skirt around the application’s security measures to gain access to its database.

For example, the hacker will enter SQL commands into the input fields on a submission page of the website. If the injection is successful, then the web application’s database will be compromised. Hackers will be able to retrieve your personal data, customer information, intellectual property, business secrets, etc. They can also delete or modify the data on your servers.

SQL injections are mostly successful on websites that use dynamic SQL, PHP, and ASP.

Prevention tip:

a sure shot way to prevent SQL injections is by validating all input, and sticking to parameterized queries. All input should be screened and disinfected. Malicious code inputs should be removed before the application code uses it. Deploying a Web Application Firewall is also helpful, as it is specifically devised to prevent injection attacks.

4. Brute Force Attacks

A brute force attack aims at cracking the victim’s username, password, or PIN for a website. Hackers use a hit and trial method, by trying out different password and username combinations until they get the right one, and can access the user’s account.

This may sound impractical at first, as passwords typically contain at least 8 characters, with a mix of upper & lower case alphabets, numbers, and symbols. If you do the math, you’ll see that there are a Million plus combinations one has to try in order to nab one password.

This is why hackers don’t do this manually, instead they run a script/code or a computer program/bot. These programs will keep trying combinations until they hit the right one. Only, a computer’s algorithm enables it to guess much faster than a human. On an average, hackers can come to the right login credentials within 6 hours of running the scripts.

Brute force attacks are also of various types:

• Dictionary Attack
• Hybrid Brute Force Attack
• Credential Stuffing
• Reverse Brute Force attack
• Simple Brute force Attack

Prevention tips:

• Set strong passwords that are unique and contain a complex mixture of alphabets, numbers, and symbols.
• Use two-step verification on your login pages, so that even if your login credentials are compromised, hackers will not be able to enter your account.
• Limit login attempts, so that your application automatically locks out a user after 4th or 5th attempt. It is highly unlikely that a hacker will be able to crack passwords within such a few attempts.
• Enable Captcha on the login page. Captcha’s challenges are designed for humans, so there is a high chance it will thwart any bot or computer program trying to infiltrate your website.

Read to know more: Brute Force Attack: All you Need to Know

5. Cross-Site Scripting (XSS) Attacks

XSS is another type of injection attack. Contrary to SQL injection, cross-site scripting is executed on the client-side.

The goal is to inject malicious code scripts in the victim’s web browser by infecting a legitimate website or web application with harmful code. When the user loads such a site, the XSS attack gets activated and the user’s browser is fed with malicious code.

In simple terms, the web application becomes the medium through which client-side browsers are compromised. The attacker will identify vulnerabilities in the application, and inject payloads in its database. When the user requests a webpage, the website will display the page with the attacker’s payload embedded in its HTML body.

XSS attacks are commonly executed in JavaScript, although they are also possible in VBScript, ActiveX, Flash, and CSS. Forums, message boards, web pages containing comment sections, are usually leveraged for XSS attacks.

Though cross-site scripting is less dangerous than a SQL injection, you still need to protect your application and its user’s from it. Through a JS injection, hackers can

• Gain access to your client’s session cookies and impersonate them. They’ll be able to perform actions on behalf of the user and also steal personal information.
• Modify the victim’s browser DOM and make modifications on the page where infected JavaScript is running
• Use XSS in conjunction with social engineering attacks like Phishing to perform more dangerous attacks like keylogging, trojan injection, identity thefts, site defacement, etc.

Prevention tips:

• Don’t trust any user input. Scan and clean all HTTP inputs made by the user.
• Use escaping/encoding techniques like HTML escape, JavaScript escape, CSS escape, URL escape, etc on user input.
• Use an HttpOnly flag for cookies, so that they are not accessible on the client-side JavaScripts.
• Add a Content Security Policy (CSP) that specifically detects and mitigates XSS attacks.

6. Malware attacks

A malware attack is any kind of attack where unwanted software gets installed on your system, without your consent. Vulnerabilities in your applications are leveraged for these attacks, and the aim is to attach malware to your system’s software and execute malicious activities through it.

Some common types of malwares are:

6.1.Ransomware

Ransomware gets hold of the victim’s data and blocks access to it. The victim is threatened with publishing or deletion of data, until a ransom is paid. Simple computer ransomware can easily be reversed by a person who has enough technical knowledge. However, more advanced malware use techniques like cryptoviral extortion, encrypting the user’s files in such a way that they can’t be recovered without the decryption key.

6.2. Trojans

Trojan or a Trojan horse is a malware that sits in a computer program and has a malicious function. A Trojan can open up back doors in the application which can be exploited by hackers. For example, Trojan can open a high numbered port that the hacker can listen to, and plan an attack.

6.3. Spyware

As the name suggests, sypware is installed to spy on the users and attain their personal information, browsing habits, computer information, etc. Spyware can follow everything you do on your application or device, and also download other malware or harmful programs from the internet.

6.4. Droppers

A dropper in itself is not a virus or a malware, which is why it often goes undetected by anti-virus software. It is a program that is used to install viruses on computers.

6.5. Macro Viruses

Macro viruses infect applications such as Microsoft Excel or Word. They attach to an application’s initializing sequence. Once the application starts running, the virus executes instructions before giving control to the application. It replicates itself and attaches to other code in the computer.

Prevention tips:

• Install a web application firewall.
• Install anti-virus and anti-malware software
• Run website scans and audits regularly

7. DDoS attacks

One of the most common website security threats in eCommerce, a Distributed Denial of Service attack aims to overwhelm an application’s server so that it can no longer process requests, and faces downtime.

A host of client machines are infected with malicious software and the hacker gains control. He/she then uses these machines to send a large amount of traffic to the website and burdening its resources and forcing the application into shutdown.

DDoS attacks are also of various types:

• TCP SYN flood attack
• Teardrop attack
• Smurf attack
• Ping of death attack
• Botnets

Prevention tips:

• Deploy firewalls, specifically a Web Application Firewall.
• Use RFC3704 filtering which will block traffic from spoofed IP addresses.
• Blackhole filtering, which drops unwanted traffic before it enters the application’s network
• CDN or Content Delivery Networks that can mitigate the impact of a DDoS attack

Last Word

Web security threats will only get more sophisticated with time, so it’s important to stay updated with the major threats business are facing at a particular time, and how these can be prevented.

If you want to secure your eCommerce store, but don’t know where to start, head over to this guide:-

Basics of eCommerce Security & Best Practices you should Follow

If you have any queries or feedback, do mention in the comments below.