In our old advertisements, you could often read that 70 percent of websites are hackable. The sad truth is, however, that every website and web application can be hacked, given enough time and resources.

What makes a website or web application fall within the 70 percent mentioned above is not just vulnerabilities. Your website security also greatly depends on the attacker’s capabilities and motivation.

Attacker and target categories

To understand the security risks, you must first know web security basics – what types of attackers you may encounter and how they choose their targets. Attackers may be classified into three primary categories depending on their technical knowledge, motives, and methods of operation:

  • Script kiddies: This term refers to amateur attackers, whose primary motivation is to either spread chaos (for example, via distributed denial-of-service attacks – DDoS) or gain reputation and community validation – less frequently to acquire financial gains. Their cybersecurity knowledge is limited and they primarily use existing tools and seek easy wins. They have no ambition to access sensitive data unless it has direct financial value, for example, credit card numbers.
  • Black-hat hackers: This term refers to professional attackers, whose primary motivation is financial and whose methods of operation are illegal and unethical. Their technical knowledge may be vast and they may employ very complex and efficient methods of operation and use advanced attack algorithms. Unfortunately, more and more black-hat hackers are now involved in organized crime, which makes them even more dangerous.
  • White-hat hackers: This term refers to professional attackers, whose motivation is financial, but their methods of operation are legal and ethical. They help you eliminate your vulnerabilities and employ security measures by finding security threats and informing you about them. White-hat hackers cause no harm, quite the opposite. You should respect them and invite them to test your protection by offering bug bounties.

Attacks may also be divided into two primary categories based on how the target is selected:

  • Opportunistic attacks: This term applies when targets are selected randomly on the basis of exploitation potential. The attacker scans a range of targets and finds those that are vulnerable to a particular attack technique. For example, the attacker may look for all WordPress 1.5 installations that are vulnerable to SQL injection (CVE-2005-1687). Such attacks are widespread among script kiddies.
  • Targeted attacks: This term applies when targets are selected specifically on the basis of a particular value to the attacker. The attacker attempts to find security issues to attain their goal. For example, the attacker may try to get unauthorized access to sensitive data such as the detailed list of customers of an enterprise and their motivation may be industrial espionage. This type of attack is the domain of black-hat hackers.

Even if you think that your business poses little value to professional attackers, you may still be a potential target for an opportunistic attack. And if the value of your sensitive information is high enough, even strong access control and leading-edge protection mechanisms may turn out to be insufficient to deter a professional malicious hacker. The more you do to protect yourself, the less chance there is that the attacker will succeed. And the biggest mistake that you can make is thinking that this does not apply to you.

The importance of web application security

While web attacks are not the only type of attacks that may lead to a security compromise, they are one of the most common types along with all forms of social engineering (including phishing) and malware. These types are often also used in conjunction. However, despite the importance of web application security, a lot of businesses still struggle with maintaining it. Here are our recommendations on how to achieve the best security levels:

  • Use heuristic detection. If you only use signature-based detection systems, you are protecting your assets only against script kiddies. Professional black-hat hackers rely on finding web application vulnerabilities that can only be discovered using a heuristic web vulnerability scanner, such as Acunetix, or manual penetration testing.
  • Prioritize web security over network security. If you focus on network security more than on web security, you should realize that there have been very few major breaches in the past years that were due to network security issues, such as the ones associated with secure sockets layer (SSL/TLS) errors. On the other hand, there were quite a few major breaches caused by web security issues from the OWASP Top-10 list such as SQL injection attacks, cross-site scripting (XSS)CSRF, web server and container misconfiguration, etc.
  • Eliminate the source of the problem. If you feel that a web application firewall is enough to protect your assets, you should realize that WAF rules can often be circumvented using malicious code and well-crafted user input. By using a WAF with no other measures, you are not eliminating the source of the problem but only applying a temporary band-aid.

Web application security is not only about discovering security vulnerabilities and eliminating them, but it’s also about prevention. It’s about changing your ways when it comes to web development and operations:

  • Educate: The most efficient way to reduce the attack surface is to educate your entire team. Your developers, administrators, testers, as well as even non-technical personnel should be aware of potential web security issues and should know how to avoid introducing such issues.
  • Shift left: You should aim to eliminate web security issues as soon as possible by shifting left and including web security in your software development lifecycle. If you discover an issue on your production web server and not before, it might be a sign that your processes are not optimized.
  • Be comprehensive: Remember that web security applies not only to server-side and client-side content accessible directly via web browsers but also to web services, APIs, mobile servicesIoT devices, and more.
Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.