Web server-based attacksWeb server-

Web server-based attacks
Web server-based attacks and vulnerabilities include:

Platform vulnerabilities – Vulnerabilities in the operating system, server software, or application modules running on the web server can be exploited by an attacker. Vulnerabilities can sometimes be uncovered by monitoring the communication between a mobile device and the web server to find weaknesses in the protocol or access controls.

Server misconfiguration – A poorly configured web server may allow unauthorized access to resources that normally would be protected.

Cross-site scripting (XSS) – Cross-site scripting is an attack that involves injecting malicious JavaScript code into a website. Pages that are vulnerable to this type of attack return user input to the browser without properly sanitizing it. This attack is often used to run code automatically when a user visits a page, taking control of a user’s browser. After control of the browser has been established, the attacker can leverage that control into a variety of attacks, such as content injection or malware propagation.

Cross-site Request Forgery (CSRF) – Cross-site request forgery involves an attacker creating HTTP (Web) requests based on knowledge of how a particular web application functions, and tricking a user or browser into submitting these requests. If a Web app is vulnerable, the attack can execute transactions or submissions that appear to come from the user. CSRF is normally used after an attacker has already gained control of a user’s session, either through XSS, social engineering, or other methods.

Weak input validation – Many Web services overly trust the input coming from mobile applications, relying on the application to validate data provided by the end user. However, attackers can forge their own communication to the web server or bypass the application’s logic checks entirely, allowing them to take advantage of missing validation logic on the server to perform unauthorized actions.

Brute-force attacks – A brute-force attack simply tries to guess the valid inputs to a field, often using a high rate of attempts and dictionaries of possible values. The most common usage of a brute-force attack is on authentication, but it can also be used to discover other valid values in a Web app.

Database attacks
Database attacks and vulnerabilities include:

SQL injection – Interfaces that don’t properly validate user input can result in SQL being injected into an otherwise innocuous application query, causing the database to expose or otherwise manipulate data that should normally be restricted from the user or application.

OS command execution – Similar to SQL injection, certain database systems provide a means of executing OS-level commands. An attacker can inject such commands into a query, causing the database to execute these commands on the server, providing the attacker with additional privileges, up to and including root level system access.

Privilege escalation – This occurs when an attack leverages some exploit to gain greater access. On databases this can lead to theft of sensitive data.
Data dumping – An attacker causes the database to dump some or all data within a database, exposing sensitive records.