Flux rss

Web server attacks

They need your help

Vulnerability of web services

The first network attacks exploited vulnerabilities related to the implementation of TCP/IP protocol suites. With the gradual correction of these vulnerabilities, attacks have shifted to application layers and particularly the web, given that most companies open their firewall systems to web traffic.

The HTTP (or HTTPS) protocol is the standard that makes it possible to transfer web pages via a request and response system. Mainly used to transfer static web pages, the web has quickly become an interactive tool making it possible to provide on-line services. The term "web application" refers to any application whose interface can be accessed on the web from a simple browser. Now the basis for a certain number of technologies (SOAP, Javascript, XML-RPC, etc.), the HTTP protocol plays an undeniable strategic role in information system security.

In that web servers are becoming more and more secure, attacks are gradually shifting toward the exploitation of web application flaws.

As such, the security of web services should be taken into account when they are designed and developed.

Types of vulnerabilties

Web application vulnerabilities

Web application vulnerabilities can be categorized as follows:

  • Web server vulnerabilities. This type of case is becoming increasingly rare, since major web server developers have heightened their security over the years;
  • Manipulation of URLs, which involves manually modifying URL parameters in order to modify the behaviour expected from the web server;
  • Exploitation of weaknesses in session identifiers and authentication systems;
  • HTML Code Injection and Cross-Site Scripting;
  • SQL Injection.

The necessary verification of input data

The HTTP protocol is by nature used to manage requests, that is, to receive input data and send return data. Data may be sent in a variety of ways:

  • The the web page's URL
  • In HTTP headers
  • In the body of the request (POST request)
  • Via a cookie

The basic idea to generally keep in mind during the development process is that you should never trust data sent by the client.

Almost all web service vulnerabilities are linked to negligence on the part of designers, who have not checked the format of data entered by users.

Impact of web attacks

Attacks on web applications are always harmful since they give the company a bad image. A successful attack can have any of the following consequences:

  • Website defacement;
  • Stolen information;
  • Modification of data, and particularly modification of users' personal data;
  • Web server intrusion.


Last update on Thursday October 16, 2008 02:43:15 PM.
This document entitled « Web server attacks » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Results for

Domain Names, DNS, and Web servers, Confused? Hey im a little confused on how all this stuff works (read title), i thought i understood it but then i run into HUGE road blocks. I kno how to program in all the web languages, run a web server via ip address (xxx.xxx.xxx.xxx), and use other... en.kioskea.net/forum/affich-18988-domain-names-dns-and-web-servers-confused
Computer for internet web server Hello, I need help regarding How can I make my computer as a internet web server so I can use my own web on internet world wide ? Thanks in this regrad. en.kioskea.net/forum/affich-27515-computer-for-internet-web-server
Apache/DNS server help. Hello, I have been working on this for quite some time. I want to have my web server work like everyone else's, where when my domain is typed in, it shows up in the address bar, instead of the ip number showing up. Can anyone help me? I'm... en.kioskea.net/forum/affich-10108-apache-dns-server-help

Results for

What is www2/www3?What is www2/www3? A website or URL such as en.kioskea.net is usually identified by the kioskea.net which actually depicts the server of the organization. WWW is onl a convention that are used to distinguish a company web server from... en.kioskea.net/faq/sujet-638-what-is-www2-www3
Can I get a free domain name?Can I get a free domain name? Myth Reality Solution A domain name is a distinctive name given to a particular website on the Internet to enable its identification and location. Domain names usually have separated parts that compose... en.kioskea.net/faq/sujet-458-can-i-get-a-free-domain-name
RCP Server not availableRCP Server not available RCP stands for Remote Procedure Call and if the computer displays “Operation could not be completed. The RPC server is unavailable” while trying to access the printers installed on the computer or trying to... en.kioskea.net/faq/sujet-356-rcp-server-not-available
Voir les réponses

Results for

Setting up a web server in a LAN/DMHello, I have a server that I am trying to use for multiple purposes in my network. I am getting a VPN router to set up my intranet but it also has a DMZ port on it as well. Now I want to be able to web host from my server which is what the DMZ port... en.kioskea.net/forum/affich-7720-setting-up-a-web-server-in-a-lan-dm
Setting up my own DNS ServerHi, I have my own registered domain. I want to set up my own DNS server and host a website completely independent of any third party hosting service. I have Windows Server 2003 and have installed the DNS role and configured it with a single forward... en.kioskea.net/forum/affich-24678-setting-up-my-own-dns-server
Hosting my own domain?I'm gonna do the big jump.. I'm setting up my own servers for educational and convenience use. I have a few static IP's and about 5 servers. What I'd like to do is hosting my websites on one server and have a primary and secondary... en.kioskea.net/forum/affich-419-hosting-my-own-domain
Voir les réponses

Results for

Download HTTrack Website CopierHTTrack is an offline browser. He allows you to download Websites from Internet towards your local directory. It rebuilds all directories, links HTML, pictures and other files constituting the site completely, all this from the server towards your... en.kioskea.net/telecharger/telecharger-557-httrack-website-copier
Download Blink Personal EditionWith the spread of numerous viruses and other spywares on the Web and other interfaces, it is more careful to take all possible protection. Blink Personal Edition is a program allowing to reduce risks of exhibition to the various attacks which can... en.kioskea.net/telecharger/telecharger-555-blink-personal-edition
Download MovampMovamp is an environment of development to be taken. MovAMP was conceived to hold on a key USB or any other support of weak capacity. Connect it up in a computer equipped with Microsoft Windows and you have access to a server web,a database and... en.kioskea.net/telecharger/telecharger-191-movamp
Voir les réponses

Results for

Spanish police arrest five hackersAn undated photo made available by Spanish police in January 2006 of a policeman looking at a computer screen during an investigation. Spanish police have announced the arrest of five hackers accused of attacking government websites in the United... en.kioskea.net/actualites/spanish-police-arrest-five-hackers-10379-actualite.php3
China promotes website attacking Western mediaThe Dalai Lama talks to journalists in New Delhi on March 27. Over a million people have "signed up" to a Chinese website set up to criticise Western media "bias" in covering the Tibetan unrest. More than a million people have "signed up" to a... en.kioskea.net/actualites/china-promotes-website-attacking-western-media-10269-actualite.php3
Voir les réponses

Results for

Webmastering - Introduction to webpage creation A website (also called an Internet site) is a group of HTML files connected by hypertext links and stored on a web server, i.e. a computer that hosts webpages and is permanently connected to the Internet. There are many motivations for having a... en.kioskea.net/web/webintro.php3
Attacks - False HTPP data Most web application attacks involving soliciting a website with manually entered data to generate an unexpected context. The HTTP protocol, a communication protocol on the web, makes it possible to convey parameters in the form of requests; it can... en.kioskea.net/attaques/falsification-donnees.php3
Réseaux - Intranet and extranet An intranet is a set of Internet services (for example a web server) inside a local network, i.e. only accessible from workstations of a local network, or rather a set of well-defined networks that are invisible (or inaccessible) from the outside. It... en.kioskea.net/entreprise/intranet.php3
Voir les réponses