Related Links
Protect your network from the most common enterprise security attack – Web application exploits
Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Stories about exploits that compromise sensitive data frequently mention culprits such as "cross-site scripting," "SQL injection," and "web site misconfigurations." Vulnerabilities like these often fall outside the traditional scope and expertise of network security managers. The relative obscurity of web application vulnerabilities thus makes them useful targets of attacks, and as a result more frequently exploited.
Due to maturing security defenses, today's attacks are more heavily focused on web applications – one of the weakest links in overall corporate security. Many organizations have discovered, these attacks can evade traditional enterprise network defenses unless new precautions are put into action.
That's why web application security is now a critical component of any security infrastructure. To minimize these new risks, organizations need a solution that can automate the detection of the most prevalent vulnerabilities found in custom web applications.
Types of Web Application Vulnerabilities
Authentication – Stealing User Account Identities
- Brute Force, Insufficient Authentication, Weak Password Recovery Validation
Authorization – Illegal Access to Applications
- Credential / Session Prediction, Insufficient Authorization, Insufficient Session Expiration, Session Fixation
Client-side Attacks – Illegal Execution of Foreign Code
- Content Spoofing, Cross-site Scripting (XSS)
Command Execution – Hijacks Control of Web Application
- Buffer Overflow, Format String Attack, LDAP Injection, OS Commanding, SQL Injection, SSI Injection, XPath Injection
Information Disclosure – Shows Sensitive Data to Attackers
- Directory Indexing, Information Leakage, Path Traversal, Predictable Resource Location
Logical Attacks – Interfere with Application Usage
- Abuse of Functionality, Denial of Service (DoS), Insufficient Anti-automation, Insufficient Process Validation
For more detail on Web application vulnerabilities, download our Web Application Security Guide.
Solution: QualysGuard Web Application Scanning
The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuard security and compliance Security-as-a-Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized knowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accurate vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic content. The broad scope of coverage focuses tests on web application security.
