Web Security: top 5 attacks targeting web applications

Web Security is a hot topic for everyone in these days. A Positive Technologies report of 2017 showed how all of the websites and web applications have at least one well-known vulnerability.

The same report shows how the 70% of websites and web applications have at least one high severity vulnerability as well.


As a matter of fact, we are talking about well-known vulnerabilities with the related exploits available online. Nowadays with the enforcement of the GDPRWeb Security management has a significant role for every company. The risk of data breaches is higher than ever and consequently companies face the risk of fines as well.

Web Application Security and Web Security: top 5 cyberattacks 

Like everything else, web applications have their problems. First of all, a web app can be targeted by Cyber Criminals with different attacks.

Here you can find the top 5:

  1. Bots and web scraping
  2. DDoS
  3. Cross Site Scripting (XSS)
  4. SQL Injection
  5. Malware

Web Security: Bots and Web Scraping

What is a bot? It is a kind of software which atomates iterative actions in order to prevent the user from doing the same actions over and over again. Just to be clear, bots record Google researches in order to show better results. They award deserving websites in terms of visibility. However, we have both “good” bots and “bad” bots. Bad bots generate traffic as well but this traffic is infected as well as the bot.

Basically, this is why a bad bot can be used for web scraping. This action consists in extrapolating data from a website or a web application. As a matter of fact, this is a plague of the internet: following recent stats, the 20% of the whole traffic is bad-bots-traffic. What does this mean? It means that potentially every website you browse, even though it’s marked as safe, could expose you to a data theft.

Data theft does not always imply the theft of payment-related data. It can be a simple memorization of your e-mail address which could be used later by attackers to spam you and run a phishing attack.

Bad bots can pave the way to DDoS attacks as well.

Web Security: DDOS Distribuited Denial of Service

DDoS stands for Distributed Denial of Service. This specific attack, in order to be carried out, needs many IP addresses, this is why its origins are often hard to trace. A DDoS attack bombs a system with requests and finally crashes it.

We have three main types of DDoS attacks:

  • IP Spoofing: this is the most common DDoS attack mainly because it is successful for hackers who need to have a non authorized access to the system. Through the spoofing, packages of IP addresses are created and these packages are useful to mask the identity of the attacker. Basically, this means that the cybercriminal uses fake IPs that prevent the system from identifying the origin. The most common techniques of IP spoofing are: UDP flood and ICMP flood. The first one is about the stress of the system through a lot of requests containing UDP (communication security protocol) datagrams. The second one, with the same methodology, uses the ICMP (Internet Control Message Protocol) protocol.
  • Protocol attacks. The DDoS attack can affect the security protocol of the web application through techniques such as the Ping of Death or the Smurf.
  • GET/POST flood. The attacker exploits an apparently not infected HTTP (security protocol for web pages) or a POST (Power-On-Self-Test, the auto-analysis phase of a system) to start DDoS attacks. This is an effortless techniques for the hackers but it requires a deeper knowledge. This is why only expert hackers can carry out such attacks.

Web Security: Cross Site Scripting

Cross Site Scripting or XSS is one of the most dangerous attacks as far as web applications are concerned. Basically, it implies the input of snippets, infected pieces of JavaScript that the user is going to run. While the users clicks on the infected URL, he allows the hacker to have the access and obtain the personal data. Cross Site Scripting is also used to edit the content of a page in order to redirect the user to another infected web application.

Web Security: SQL Injection

SQL is the standard language as far as databases are concerned. An SQL Injection attack consists of injecting infected elements that the database might consider as legit. In this case, the database is open to data theft that could affect both users and admins. Hackers could create administrative accounts to control the web application. An SQL Injection attack can lead to very dangerous consequences: what if an attacker steals information such as addresses and telephone numbers in addition to payment data?

Web Security: Malware

We have different kinds of malwares basing on the purpose they have (ransomware, trojan, spyware, …). Once a malware enters a system, a cybercriminal can get the full control of it. This is why protecting your web applications from malwares is crucial: the number of cyber attacks led using malwares is very high and even if it seems that hackers are moving to cryptocurrencies mining, the threat remains.

Web Application Security e Web Security

Data show the lack of web security principles.

As fare as CyberSecurity and Web Security are concerned, prevention is key.

Vulnerability Assessment and Network Scan ensure preventive security for your websites and web applications.

These activities require a periodic check on an annual basis to see if systems are vulnerable.

These activities are crucial to assess your risk level and comply with the new Data Privacy European law – GDPR.

You can check the status of your systems, websites, web applications,… with Swascan CyberSecurity Services.

Start your Free Trial


GDPR Assessment: How can I assess my Compliance?
SamSam Ransomware Has Raised $6 Million

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.