Web Security
Last week, I focused much of my effort on Web Security. Whether we like it or not, the internet is deeply ingrained in our everyday lives: we use it for work, shopping, entertainment, and so much more. Ensuring that the websites we interact with are secure is an integral part of cybersecurity. Working in web security is something I could easily see myself pursuing in the future.
The Components of Web Services
Web services are typically composed of three main components:
Application – This is the actual code of the website that dictates how everything looks and functions.
Web Server – This hosts the application, actively listening to requests and returning responses to users.
Host Machine – The underlying operating system that runs both the application and server, often Windows or Linux-based.
Types of Web Attacks
There are two primary types of web attacks: client-side and server-side.
Client-Side Attacks
These occur on the user’s device. Common examples include:
Cross-Site Scripting (XSS) – When malicious scripts are injected through a trusted website and executed in the user’s browser. This often happens when input fields (like comment boxes) lack proper sanitization.
Cross-Site Request Forgery (CSRF) – When an attacker tricks an authenticated user’s browser into performing an unwanted action on a web application.
Server-Side Attacks
These exploit vulnerabilities in the web server itself. Common examples include:
Brute-Force Attacks – Attackers repeatedly try different username and password combinations to gain unauthorized access.
SQL Injection (SQLi) – Attackers manipulate SQL queries to access, modify, or delete hidden data.
Denial-of-Service (DoS) Attacks
A significant part of my studies involved Denial-of-Service (DoS) attacks. For anyone who’s played Rainbow Six Siege, these are all too familiar. A DoS attack floods a website or service with excessive requests, overwhelming it and rendering it inaccessible.
In a hands-on Splunk challenge, I analyzed different aspects of a DoS attack.
Which Clientip made the most requests to the target uri?
By using the search filter “index=main AND uri_path=/search” I was then able to click on the clientip field and find the top ip address.
Which useragent was most commonly used by the attacking traffic?
We can stay on the same filter we are on and check the useragent field’s top value.
Which legitimate (non-attacking) clientip received the first 503 response status post-attack?
Firstly we have to identify what a 503 response code is, which is the response code given when a service is unavailable. We are filtering for two things here, the 502 status and we have to filter for an ip on the 10.10.0.0/24 network. The command would be “index=main AND status=503 AND clientip=10*”. Now we can go to the first block of data and find the first ip address listed.
Like always, these are just a few of the questions asked on the challenge to highlight the thought process and understanding of the tools at hand, in this case Splunk.
Web Attack Defense
Protecting web applications is essential, especially when dealing with personally identifiable information (PII). Common defensive measures include:
CAPTCHA – Requires a human user to verify their identity before proceeding, slowing automated attacks and alerting SOC teams to potential threats.
Web Application Firewall (WAF) – Inspects incoming web traffic and allows, challenges, or blocks requests based on predefined security rules and threat intelligence.Thank you for tuning in for this week’s read! Each week I am feeling more confident in my ability as a cybersecurity practitioner. I hit gold this week on TryHackMe as well! See you need week!
Each week, I’m feeling more confident in my abilities as a cybersecurity practitioner. I also hit Gold Rank on TryHackMe this week, another milestone in my journey! See you next week!