Top 10 most common web attacks

IT security has always been a cat and mouse game. And the defensive side is always playing catchup with the offensive side. That’s because as our defenses become more robust against specific attacks, attackers find ways to circumvent the new defenses and even cook up new types of attacks. So it’s a bit like a never-ending game of Whack-A-Mole.

In this post, we take a look at the top 10 most common online attacks and provide tips on defending against them.

What are the most common online attacks?

Below is a list of 10 of the most common online attacks you could have to deal with. We will explore each of them in more detail, and provide advice on how best to avoid them.

Here are the most common online attacks:

  1. Denial of service (DoS) and distributed denial of service (DDoS) attacks
  2. Man-in-the-middle / man-in-the-browser attacks
  3. Drive-by download attacks
  4. Phishing and spear-phishing attacks
  5. Password-based attacks
  6. SQL injection attacks
  7. Cross-site scripting attacks
  8. Trojans
  9. Macro viruses
  10. Ransomware

1. Denial of service (DoS) and distributed denial of service (DDoS) attacks

A denial of service (DoS) attack is an attack in which requests flood a server to the point that it can no longer cope with the load and crashes. A distributed denial of service (DDoS) attack is essentially the same attack, except that it’s launched from a botnet: several other host machines that have also been compromised and are under the attacker’s control.

Unlike most online attacks, which are designed to enable the attacker to access system resources, denial-of-service attacks in themselves don’t allow the attackers access to any resources. However, once the server has been taken offline, it may be vulnerable to other types of attacks that directly benefit the attacker, like session hijacking.

The most common denial of service attack is a TCP SYN flood attack. In this attack, the attacker floods the server with TCP session initialization requests but never responds when the server replies to those requests. After a while, the server times out waiting for a response and becomes unresponsive or crashes outright.

Mitigations

  • Ensure your server is behind a firewall and configured to block all traffic that isn’t necessary to the server’s functionality.
  • Increase the size of your server’s connection queue as much as possible.
  • Decrease your server’s configured timeout for open connections.
  • DDoS mitigation services (reverse proxies), like Cloudflare, might be worth looking into.

2. Man-in-the-middle / man-in-the-browser

If a third party manages to insert themselves between your device and the web site/application you’re connected to, you’ve just fallen victim to a “man in the middle” attack. There are actually two types of man-in-the-middle attacks: proper man-in-the-middle attacks, which are system-wide, and man-in-the-browser attacks, which are limited to your web browser’s traffic. Both versions of the attack work the same way; the only difference is their span (browser vs. full system).

In both versions of the attack, the man-in-the-middle has the ability to observe and modify traffic as it passes between your browser/system and the web servers you connect to. They can do this because the man-in-the-middle is essentially acting as a proxy server between your device and the web server. Because they sit in “the middle” of that connection, the man-in-the-middle can intercept and modify the contents of what’s being transmitted and received.

Because the attacker in a man-in-the-middle attack can manipulate the traffic coming and going from your browser, they can alter the messages you receive, redirect your traffic, manipulate DNS responses, etc. If you fall victim to a man-in-the-middle attack, you just cannot trust what’s displayed in your browser.

While the use of TLS/HTTPS can help to mitigate this attack, it isn’t fool-proof. Attackers typically have a hard time spoofing certificates used by the server to authenticate itself to the browser. But many internet users have been conditioned to ignore browser warnings and click through them when they appear. So attackers will frequently use an invalid/self-signed certificate, and in many cases – if not most – users will ignore their browser’s warning, and the attack will still succeed.

Mitigations

  • I can’t state this mitigation measure enough: don’t ignore your browser’s warnings – just don’t. If your browser displays a warning that you might be accessing a malicious site or that there’s a TLS/HTTPS certificate mismatch, don’t ignore it. Pay close attention and follow your browser’s advice (unless you absolutely know that it’s a false positive). And even then, should you have any reason to doubt, try a different machine or a different internet connection.
  • Don’t use public wi-fi without a VPN. Unsecured hotspots are a gold mine to malicious actors. A VPN’s encryption will make man-in-the-middle attacks much harder, if not impossible, to pull off.
  • Website administrators should make sure their sites use TLS/HTTPS.

3. Drive-by download attacks

A drive-by download is a download that unknowingly occurs when a user visits a website. The drive-by download may occur as the user is downloading something else, but this isn’t required. Most of these downloads occur without any intervention from the user. Drive-by download attacks are one of the most common ways malware spreads.

Malicious actors typically scan for insecure websites to plant malicious scripts into their HTTP or PHP code. These scripts could directly install malware onto the unsuspecting visitor’s machine or redirect the visitor to another site controlled by the hackers. As stated above, drive-by downloads typically don’t require any user intervention to pull off the attack. They can occur when a user visits a website, opens an email, or clicks a pop-up window.

Mitigations

  • Drive-by downloads will typically attempt to exploit security vulnerabilities found in web browsers, applications, and operating systems. So keeping these updated is crucial so that your device has all of the latest security patches.
  • Limit the number of applications installed on your device to what is actually necessary. That reduces your attack surface.
  • Limit the number of web browser plugins you use. Browser plugins are a common vector for the vulnerabilities that enable drive-by download attacks.

4. Phishing and spear-phishing attacks

Phishing attacks are a form of social engineering that attempt to fool an unsuspecting user into providing sensitive information (credit card numbers, passwords, etc.). Attackers will send their victims a legitimate-looking email or text message (or phone call, for that matter) that appears to be from a trusted source (your bank, a service provider with whom you have a relationship, a friend, or a family member). This could be an email with an attachment that downloads malware onto your computer when clicked. Or it could be a link to a legitimate-looking website under the attacker’s control that attempts to trick you into downloading malware or handing over your personal information.

Spear-phishing is a type of phishing attack that follows along the same lines as above, except that it’s targeted at a specific user. In a spear-phishing attack, the attackers research their target and craft messages that are personal and relevant to that target. So the modus operandi of both attacks are essentially the same (fake emails, text messages, websites), but the latter is more finely tuned to a specific target. Because of this, spear phishing can be more difficult to identify and defend against.

Mitigations

  • Only buy well-reviewed and genuine antivirus software from legitimate vendors and set it up to run frequent scans at regular intervals.
  • Never click on pop-ups. Just. Don’t. Do. That. You never know where they’ll take you.
  • If your browser displays a warning about a website you are trying to access, pay attention and get the information you need elsewhere.
  • Don’t open attachments in emails unless you can confirm who sent the email and know what the attachment is.
  • Don’t click links (URLs) in emails unless you know exactly who sent the URL and where it links to. But with URLs, you can take things a bit further by carefully inspecting the link. Is it an HTTP or an HTTPS link? The overwhelming majority of legitimate sites use HTTPS. Does the link contain spelling errors (faceboook instead of facebook)? If you can get to the destination without using the link (via bookmarks or a search engine, for example), do that instead.
  • Don’t reply to emails or text messages that ask you for personal information. That is a classic sign of a phishing scam. Legitimate organizations will never ask you for personal information via email or text message when they contact you.
  • Limit the amount of personal information you post on the internet. The risk of you falling victim to a spear-phishing attack is proportional to the amount of personal information that’s publicly available about you. The more information attackers can obtain on you, the more convincing their spear-phishing ploy may be. The internet is a hostile place. Before posting something revealing, ask yourself whether it’s really necessary or not.

5. Password-based attacks

The best way into a house is through the front door. That’s also true of your online accounts. If a malicious actor can get their hands on your credentials, they can access your information, modify your account, change your password, and lock you out of your own account.

There are many different password-based attacks. Some are sophisticated, while others are rather simplistic. But they all share the fact that your passwords are leaked.

Notable password-based attacks include:

  • Brute force/Dictionary attacks – An attacker uses specialized software to attempt to “guess” the victim’s password. The software is able to try thousands of passwords per minute.
  • Credential stuffing attacks – Malicious actors use lists of compromised credentials to attempt to log into a wide range of online accounts.
  • Credential dumping attacks – Malicious actors hack into your device and steal your credentials, typically from the device’s random access memory (RAM).
  • Pass the hash (PtH) attacks – Malicious actors steal a hashed user credential – not the actual password itself – and use the hash to trick the authentication mechanism into creating a new authenticated session within the same network. Their goal is to use the initial set of credentials to move laterally between devices and accounts in the hopes of escalating their user permissions to access critical systems, like the network administrator account.
  • Masquerade attacks – An attacker masquerades as a legitimate user to access a device. That can happen through stolen credentials (typically via a phishing scheme), exploiting software bugs, or side-stepping the authorization process itself.

Mitigations

  • You should limit user permissions as much as possible. Implementing the principle of least privileges is highly recommended, providing each user in your organization with the least amount of permissions required to do their job and nothing more. That will limit the damage if any of your user accounts are compromised by a password attack.
  • Implement digital code-signing. Digital signing prevents unauthorized software from being executed unless it is signed by a trusted entity. Like limited permissions, this can limit what an attacker can do if they get their hands on your credentials.
  • Set up two-factor authentication (2FA) on all accounts that support it. 2FA makes it more difficult for an attacker to abuse your credentials, and it may appear to be more trouble than it’s worth to many of them.
  • Enforce strong password requirements in your organization. While this one may seem obvious, you’d be surprised by the number of organizations that allow their users to create weak passwords. Strong passwords are your first line of defense. Users should not be allowed to use weak passwords. Make sure they’re as strong as can be in your organization.

6. SQL injection attacks

SQL injection is one of the most prevalent and successful online attacks of the past decade. In an SQL injection attack, malicious actors push SQL commands to a web server to access, modify, or steal data stored on the server – the classic payload.

Attackers can compromise a server’s web forms, cookies, or HTTP posts and “trick” them into injecting their malicious code into the victim’s browser. And the browser will automatically execute the code because it considers it as coming from a trusted source. Once attackers can access the user’s browser, they will go about their business of harvesting their sensitive information.

Mitigations

  • Never trust user input. Always make sure your web server sanitizes and filters user input.
  • Limit the functions that can be executed through SQL commands.
  • Deploy web application firewalls to protect your organization from SQL injection attacks.
  • Enable the Content Security Policy (CSP) header, which will provide your server with an additional layer of security by hard-coding the resources that are allowed to load on a given web page.
  • Enable the HTTPOnly flag to lower the odds that client-side scripts will be able to access protected cookies.
  • Encode the output of your server’s HTTP responses to make sure web browsers don’t interpret them as being active content and executing the code it contains.

7. Cross-site scripting

Cross-site scripting (XSS) attacks manipulate a web server into delivering malicious client-side scripts to the victim’s browser, which will execute it without any user intervention. Once executed, the malicious script will typically exfiltrate sensitive information from the server, download and install malware, or redirect the victim’s browser to a malicious website controlled by the attacker.

As is the case with SQL injection attacks, cross-site scripting hinges on a web server’s failure to sanitize user input properly. Because of that failure, malicious code can be pushed to the server, which will unwittingly serve it back to its legitimate users. This vulnerability can also enable CSRF attacks, form action hijacking, session hijacking, and SSRF attacks.

Mitigations

  • Again, don’t trust any user input and always sanitize it. That is the most important mitigation measure.
  • And as with the above SQL injection mitigation measures, enable the Content Security Policy (CSP) header, the HTTPOnly flag, and encode the output of your server’s HTTP responses so that web browsers don’t execute the embedded code.

Malware

The next three web attacks are forms of malware (trojans, macro viruses, and ransomware) and they’re as serious as they are common – hence they’re in our Top 10. However, their mitigations are essentially the same, so for convenience, we listed them after the 10th point as they apply to all three. You’ll also notice some overlap with the phishing/spear-phishing mitigations, but that’s the nature of the beast. We can tolerate a bit of redundancy in the name of clarity.

8. Trojans

A Trojan is not a virus, though it is part of the “malware” family. Unlike a computer virus, a Trojan Horse doesn’t replicate itself by infecting other files or computers. A trojan is a decoy that may well end up downloading viruses onto your machine, but it is not itself a virus. A Trojan is basically a small piece of malicious software hidden inside a useful program. Once installed, a Trojan can:

  • Establish a backdoor that attackers can exploit.
  • Steal your sensitive information and transmit it to a malicious server.
  • Download more malware and viruses.
  • Take control of your device
  • And more

9. Macro viruses

Macro viruses infect applications like Microsoft Word or Excel. They’re called macro viruses because they’re written in the macro language used by the apps they infect. A macro language is a simple programming language that enables users to write and execute automated tasks in sequence. That “shortcut” is called a macro. If macros are enabled in the app, legitimate macros and macro viruses will run during an application’s initialization sequence. Thankfully, Microsoft has now disabled them by default, but many users enable them to work more productively. Hence, despite Microsoft’s mitigation, macro viruses remain a serious infection vector.

Once infected, macro viruses can do anything that the macro language it’s written in supports. That means:

  • Creating new files
  • Moving text
  • Transmitting files
  • Inserting pictures or videos in documents
  • Corrupt document templates so that all new documents created from that template are infected
  • Macros viruses could even format your hard drive

10. Ransomware

Ransomware is a type of malware that encrypts the victim’s data. The attacker then demands a ransom from the victim in exchange for the decryption key.

Other forms of ransomware exist that don’t necessarily encrypt the victim’s data. But they render it inaccessible to the user and demand a ransom be paid to recover access, under threat of publishing the data or destroying it. In either case, it’s a serious attack that can destroy people’s reputations and livelihoods.

Mitigations

  • Use a firewall – Every major operating system provides a built-in incoming firewall, and all off-the-shelf commercial routers have a built-in NAT firewall. Ensure you enable them.
  • Use an antivirus program – And only buy genuine and well-reviewed antivirus software from legitimate vendors. Once installed, configure it to run frequent scans at regular intervals.
  • Keep your operating system and applications updated – The latest OS and application updates contain the latest security patches. Make sure to install the updates/patches as soon as they become available.
  • Never click on pop-up windows – Never.
  • Don’t ignore your browser if it displays a warning about the website you’re attempting to access. Pay attention and find the information you need elsewhere.
  • Never download pirated software – We all like free things. But those who upload pirated software are typically looking to make money, either by compromising your system or selling your information to other malicious actors.
  • Don’t open email attachments unless you can identify and trust the sender. Viruses do come in the mail, and you should always scan your incoming mail with an antivirus program.
  • Make regular backups of your devices – Regular backups will allow you to recover your files if your device is ever infected.
  • Don’t click links (URLs) in emails unless you know exactly who sent it and where it links. You should also scrutinize the link carefully. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain any spelling errors (gooogle instead of google)? If you can get to the destination without using the link (i.e., via a bookmark or by using a search engine), you should do that instead.

Wrap up

So those are the Top 10 web attacks. And regardless of their spot on the list, you want to steer clear of all of them. While these “Top 10” type posts only provide a bird’s eye view for each type of attack, I feel they’re valuable insofar as they enable less tech-savvy internet users to know what to look out for. Hopefully, the tips provided as mitigations will help techies and non-techies alike have a safer online experience.

As always, stay safe.