Web application 漏洞 involve a system flaw or weakness in a web-based application. 它们已经存在很多年了, 很大程度上是由于没有验证或清理表单输入, 配置错误的web服务器, 应用程序设计缺陷, and they can be exploited to compromise the application’s security.
These 漏洞 are not the same as other common types of 漏洞, such as network or asset. They arise because web applications need to interact with multiple users across multiple networks, and that level of accessibility is easily taken advantage of by hackers.
There are web App 保护。 solutions designed specifically for applications, and as such it’s important to look beyond traditional vulnerability scanners when it comes to identifying gaps in an organization’s App 保护。. 要真正了解你的风险,了解更多关于 常见类型的网络安全攻击, and how web scanners can help increase the safety of your applications.
Structured Query Language (SQL) is now so commonly used to manage and direct information on applications that hackers have come up with ways to slip their own SQL commands into the database.
这些命令可能会改变, 窃取或删除数据, and they may also allow the hacker access to the root system. SQL(正式发音) ess-cue-el, but commonly pronounced “sequel”) stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases.
An SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website or web application, 比如信用卡号, 用户名和密码(凭证), 或其他个人身份信息, 对于攻击者来说,哪些是诱人且有利可图的目标.
Successful SQL注入攻击 typically occur because a vulnerable application doesn’t properly sanitize inputs provided by the user, 不剥离任何看起来是SQL代码的东西. For example, 如果应用程序容易受到注入攻击, it may be possible for an attacker to go to a website's search box and type in code that would instruct the site's SQL server to dump all of its stored usernames and passwords for the site.
了解更多关于 SQL注入攻击.
在SQL注入攻击中, an attacker goes after a vulnerable website to target its stored data, 例如用户凭证或敏感的财务数据. But if the attacker would rather directly target a website's users, 他们可能会选择跨站点脚本攻击. 类似于SQL注入攻击, this attack also involves injecting malicious code into a website or web-based app. However, in this case the malicious code the attacker has injected only runs in the user's browser when they visit the attacked website, 它会直接跟踪来访者.
One of the most common ways an attacker can deploy a 跨站点脚本编制 attack is by injecting malicious code into an input field that would be automatically run when other visitors view the infected page. For example, they could embed a link to a malicious JavaScript in a comment on a blog.
Cross-site scripting attacks can significantly damage a web company’s reputation by placing the users' information at risk without any indication that anything malicious even occurred. Any sensitive information a user sends to the site or the application—such as their credentials, 信用卡信息, or other private data—can be hijacked via 跨站点脚本编制 without the owners realizing there was even a problem in the first place.
了解更多关于 跨站点脚本编制 attacks.
A 跨站请求伪造(CSRF) attack is when a victim is forced to perform an unintended action on a web application they are logged into. The web application will have already deemed the victim and their browser trustworthy, and so executes an action intended by the hacker when the victim is tricked into submitting a malicious request to the application. This has been used for everything from harmless pranks on users to illicit money transfers.
One way website owners can help cut down on their chance of attack is to have advanced validation techniques in place for anyone who may visit pages on their site or app, especially when it comes to social media or community sites. This will enable them to identify the user’s browser and session to verify their authenticity.
While there are a variety of ways a hacker may infiltrate an application due to web application 漏洞, 也有各种各样的方法来防御它. There are web App 保护。 testing tools specially designed to monitor even the most public of applications. Using these scanners reduce your chances of being the victim of a hack by showing you exactly where to make the changes needed for more secure applications.