Web application attacks are a result of serious weaknesses or vulnerabilities in the architecture of an application. These weaknesses allow criminals to gain direct and public access to information and data that they would not have otherwise had access to. This could lead to information disclosure that could cause a devastating loss for the organisation.
Below are a few common web application attacks:
Cross-site Scripting (XSS)
Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users’ information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.
SQL Injection
SQL injection is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Cross-site Request Forgery (CSRF)
Cross-site request forgery is an attack forces an attacker to execute unwanted actions on a web application in which a user is currently authenticated. A successful CSRF exploit can compromise end user data. If the targeted end user is the administrator account, this can compromise the entire web application.
Remote Files Include
Remote files Include is an attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.
File Uploads
File uploads allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).
eval()
This evaluates a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval()