There are so many types of Web-based attacks and security risks to watch out for, where do you start?

1. Why you need a Web App Firewall and more A Review of Web Application Attacks & Countermeasures

2. A Review of Web Application Attacks and Countermeasures Why you need a Web App Firewall (and more) While the details of these attacks vary greatly, the key threat concepts -- and the main defensive countermeasures -- are well-understood and can be boiled down to a manageable list. Let's take a look at the major attack types that your Microsoft IIS Web servers , database-enabled Web sites and Web-based applications need to be ready for. We will also point you to the Port80 Software solutions that provide effective counter-measures to these types of attacks. There are so many types of Web-based attacks and security risks to watch out for, where do you start?

3. Network and System Reconnaissance Why you need a Web App Firewall (and more) Camouflage should be "standard issue" for Web servers. The first task of a Web attacker (a cyber criminal, internal or external) is to determine your operating system, Web server, application server and database platforms.

4. Network and System Reconnaissance, cont. Why you need a Web App Firewall (and more) The most successful attacks are often targeted attacks , so removing or obfuscating the signatures of your technology platforms -- both obvious ones like the server name header or file extensions in HTTP, or the TCP/IP window size, as well as more subtle signatures, like cookie names, ETag formats, HTTP header order, or services running on IP/port combinations -- is an important type of countermeasure in itself.

5. Network and System Reconnaissance, cont. Why you need a Web App Firewall (and more) This can either dissuade intruders from attacking your Web site or Web application altogether or force them to make incorrect assumptions that lead them to try the wrong types of attacks (for instance, a Linux/UNIX hack on a Windows system). In turn, this makes it easier for firewalls and IDS systems to better identify and block those attacks directly. Port80 Solutions: ServerMask

6. Image and File Leeching Why you need a Web App Firewall (and more) Do not serve Web content for others unknowingly. A lower-priority attack that costs many sites precious bandwidth and responsiveness is a leeching attack, where a hacker identifies file resources that are not access controlled or protected by authentication on your Web site, like images and video.

8. Image and File Leeching, cont. Why you need a Web App Firewall (and more) The countermeasures to stop this type of leeching attack range from the simple and to the more robust, from referer checking through time-limited or "sessionized" URLs. You can also weed out the more amateurish types of leeching bots and scripts by checking the cookie, browser, and HTTP header details for each request. Port80 Solutions: LinkDeny

9. Restricting Access Why you need a Web App Firewall (and more) Block IPs that are no good (up to no good or not good for you). You can also protect against undesired use of your Web content by using IP access control to that content. This is often overlooked in sites that use authentication and authorization, but what if you need to host content for anonymous users as well -- or exclusively?

11. Restricting Access, cont. Why you need a Web App Firewall (and more) Controlling access to Web content is by no means the same as locking down your Web server, site and application against determined exploits, but it can be a prudent deterrent to further abuse. Port80 Solutions: LinkDeny

13. SQL Injection Attacks, cont. Why you need a Web App Firewall (and more) You can code to avoid this type of attack in your Web application, but many Web developers do not have the time or the expertise to cover the types of input sanitization required to make sure that: 1. characters passed in URL strings do not allow for unintended database access and control and 2. the type of data being passed in the URL is what was intended (for example, checking that user supplied input characters expected in a numeric field to be used in a SQL statement are indeed numeric).

14. SQL Injection Attacks, cont. Why you need a Web App Firewall (and more) You can also work to make the database more secure with such measures as stored procedures and least-access security privileges for accounts accessing the database. Still, you need to sanitize the inputs allowed to access the database to avoid such parser evasion attacks that try to sneak various characters in a string, allowing an attacker to add on commands to a normal variable value to delete or alter database content (or escalate their privileges on your application or server itself). Port80 Solutions: ServerDefender AI , ServerDefender VP

15. Buffer Overflow Attacks Why you need a Web App Firewall (and more) Put some limits on data requested from unknown Web users. Attackers love to throw huge amounts of malicious data at systems to see what limits have been set and to see if too much data crammed in a particular form field or URL string will crash the system -- or lead to remote control of your servers.

16. Buffer Overflow Attacks, cont. Why you need a Web App Firewall (and more) They will pack high-bit shellcode ( a transferable piece of code used as the payload in the exploitation of a software bug ) into a Web request, hoping that the developer has not placed any buffer limits on the request and is not sanitizing input into the Web application. Placing a limit on buffer characters easily helps to avoid this type of attack. Port80 Solutions: ServerDefender AI , ServerDefender VP

17. Cross-Site Scripting (XSS) Attacks Why you need a Web App Firewall (and more) Don't become a vector for attacks on other sites or your Web visitors themselves. Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy).

18. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) By these means, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks. Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities. When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.

21. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities. When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.

23. Cross-Site Request Forgery Attacks Why you need a Web App Firewall (and more) Seriously, don't become a vector for indirect attacks on other sites or your visitors. Cross-site request forgery (CSRF or XSRF), also known as a one click attack or session riding, is an exploit very similar to an XXS attack. Rather than an attacker injecting unauthorized code into a Web site, a cross-site request forgery attack only transmits unauthorized commands from a user that the Web site or application considers to be authenticated.

25. Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) These types of attacks are very common on Internet forums, where users are allowed to post images but not JavaScript. To combat this, URLs can be sessionized by implementing a transient authentication mechanism (such as a constantly-changing, hidden form field value) in place of persistent, cookie-based, or HTTP authentication. A simpler approach, requiring far less code rewriting, is to check that the referer in the request is from an authorized, on-site page. This can be spoofed, however, and so should not be relied upon exclusively.

26. Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) For Ajax scenarios in particular, a modestly costly method for combating CSRF attacks is to require the double submission of any cookies that are used for authentication -- essentially by reading the authentication token from the cookie on the client side using JavaScript, submitting it separately with the GET or POST, and then validating it along with the cookie itself. Cookie encryption or signing also helps to defeat these attacks. Port80 Solutions: ServerDefender AI , ServerDefender VP , LinkDeny (weak protection)

27. Directory Traversal Attacks Why you need a Web App Firewall (and more) /admin, /scripts, /noaccess, /etc. If you can get to a file via a URL, an attacker can get to it as well, even if the link is not publicly displayed on your Web site. Also known as ../ (dot dot slash), directory climbing, backtracking, and sometimes a canonicalization attack, a directory traversal attack exploits insufficient security validation and sanitization of user-supplied URL paths in Web site and application requests.

28. Directory Traversal Attacks, cont. Why you need a Web App Firewall (and more) This type of attack does not mean a coding deficiency, but rather a lack of security and authentication for all Web resources on a site or application. Microsoft Windows or DOS directory traversal uses the ..characters, although many Windows programs or APIs also accept UNIX-like directory traversal characters (../), but at least most directory vulnerabilities on Windows are limited to a single partition (C://, etc.).

29. Directory Traversal Attacks, cont. Why you need a Web App Firewall (and more) Though IIS can handle simple cases of directory traversal attacks, this is just a start. You need to stop requests to seemingly non-existent Web resources, sanitize inputs from all odd or non-standard character encodings, ensure document roots are known and string lengths are consistent, and also confirm that no files outside the document root of the site can be served. Of course, the best response to a directory traversal request (the only one that does not give any clues to the attacker) is a good old 404 HTTP response. Port80 Solutions: ServerDefender AI , ServerDefender VP .

30. Zero Day Attacks Why you need a Web App Firewall (and more) Protect against attacks before the patch and after the patch. A zero-day (or zero-hour) attack is not so much a specific type of attack as it is a special case of all other types. A zero-day attack is one that exposes heretofore undisclosed or unpatched computer application vulnerabilities.

32. Zero Day Attacks, cont. Why you need a Web App Firewall (and more) As new attacks are introduced to IIS and application server code that often fall in the category of some of the other attacks discussed here, it is vital to have a general purpose Web application firewall covering the bases to protect the site or app from that attack vector before the platform patches can be applied. Port80 Solutions: ServerDefender AI , ServerDefender VP .

33. Brute Force Attacks Why you need a Web App Firewall (and more) A, B, C, D, Admin Access... A brute force attack, sometimes called a dictionary attack, is a method of defeating a cryptographic authentication/authorization scheme by trying a large number of possible answers. The best example is exhaustively working through all possible keys in order to discover a password combination.

34. Brute Force Attacks, cont. Why you need a Web App Firewall (and more) Like a zero day attack, brute force attacks are often used to find open, unprotected directories or to break authentication and authorization layers. Effective request throttling, tracking and limiting the frequency of Web requests per second to a particular login file or directory, often defeats this form of automated attack. Port80 Solutions: ServerDefender AI

36. Denial-of-Service Attack, cont. Why you need a Web App Firewall (and more) This, in turn, forces the targeted Web server to reset or consume its resources such that it can no longer serve legitimate requests. Like a brute force attack, being able to identify and block IP addresses with a high frequency of requests can stop these attacks before site resources are used up, keeping legitimate Web users in service.

37. Privilege Escalation Attacks Why you need a Web App Firewall (and more) Control is the ultimate goal of all attackers. At the end of the day, almost every Web attack is an attempt to escalate privileges and gain remote control over your Web sites, apps, data and user communities. Privilege escalation is the act of exploiting a bug in an application to gain access to resources which normally would have been protected from an application or user with lower privileges.

39. Defense-in-Depth Works Why you need a Web App Firewall (and more) How do you avoid being fully hacked? In general, it goes without saying that you should protect your ports and network with a standard hardware firewall, keep patching your OS, Web, app, and DB layers, authenticate secure sections of the site, and learn as much as possible about the security options in your code development on ASP, ASP.NET, ColdFusion, PHP, JSP, or other type of Web-based application.

40. Defense-in-Depth Works, cont. Why you need a Web App Firewall (and more) By additionally layering in Port80 Software's security solutions , you will augment these systems to directly protect your Microsoft IIS Web server, Web apps, and data from the bad guys out there on the Internet.