Web Application Vulnerabilities

---

2 Main Categories of Attacks

• client-side attacks
• server-side attacks

Client-side Attacks

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Clickjacking

Server-side Attacks

Vulnerabilities of server-side web transactions are typically caused by:

• Lack of input validation
• Improper or inadequate permissions
• Extraneous files

Lack of Input Validation

A lack of input validation opens up vulnerabilities to some attacks.

• Directory Traversal

Improper or Inadequate Permissions

Web applications and pages often use sensitive files and directories that will cause security issues if they’re exposed to general users.

• Exposure of configuration files
  • many web apps that use a database have a configuration file that holds the credentials to access the database
• Securing directories
  • Attackers can change, add, or delete files within directories that aren’t secured

Extraneous Files

When a web server moves from development into production, developers often forget to clean up any files not directly related to running the site or application, or files that might be artifacts of the development or build process.

• This could expose information an attacker can use