Prestazioni e affidabilità
CDN DNS Argo Smart Routing Bilanciamento del carico URL reale AMP Ottimizzazioni Web Reti cinesi
Streaming e consegna video
Cloudflare Stream Diffusione di contenuti in streaming
Sicurezza avanzata
Transizione magica Protezione dagli attacchi DDoS WAF Gestione dei bot Rate Limiting SSL/TLS DNSSEC Cloudflare Access Cloudflare Spectrum Argo Tunnel
Approfondimenti
Analytics Log di Cloudflare
Cloudflare per sviluppatori
Cloudflare Workers Cloudflare Workers KV Mobile SDK
Registrazione del dominio
Cloudflare Registrar
Marketplace di Cloudflare
App Cloudflare
Cloudflare per tutti
1.1.1.1
Prestazioni
Accelerare le applicazioni Internet Accelerare le esperienze su dispositivi mobili Assicura la disponibilità delle applicazioni
Sicurezza
Mitigazione degli attacchi DDoS Previeni la violazione dei dati dei clienti Blocca l'abuso di bot dannosi
Settori
Gaming SaaS eCommerce Media e intrattenimento Settore pubblico Gruppi di interesse pubblico Governo locale e statale
Partnership
Programma per partner
Partner di Soluzioni
Programma di servizi
Partner tecnologici
Portale di Peering Bandwidth Alliance Partner di analytics
Integrazioni
IBM Cloud WordPress Google Cloud Magento Acquia Rackspace Microsoft Azure Kubernetes Motore WP
Sviluppo
Guida API Centro sviluppatori Fondo per sviluppatori Documentazione
Esplora
Case study Analisti Cloudflare in Cina Mappa di rete Webinar Qual’è la novità? White paper GDPR
Informazioni
Area risorse DDoS Area risorse CDN Area risorse DNS Area risorse sicurezza Area risorse prestazioni Centro di apprendimento senza server Area risorse SSL Area risorse Bots Area risorse Cloud
Connettere
Blog Contatta il reparto Vendite Community Supporto
Contatti
+1 650 319 8930
Configurazione Cloudflare avanzata
Esplora l’API Cloudflare v4 Esporre un tunnel locale sicuro Configurare con Terraform Documentazione
Personalizzare le dimensioni
Personalizzare l’uso di workers Modificare le intestazioni Instradamento condizionale della richiesta Test A/B Sfogliare tutti i frammenti di codice
Creazione di app serverless
Distribuire utilizzando Workers.dev Primi passi con le Esercitazioni Esempi di cloni su GitHub

What Is Web Application Security?

Web application security is important to any business. Learn about common web application vulnerabilities and how they can be mitigated.

Share facebook icon linkedin icon twitter icon email icon
What is Web Application Security?
Common Threats
VPN Resources
Glossary
Why Use HTTPS?
Global DNS Hijacking

Web Application Security

Obiettivi di apprendimento

Dopo aver letto questo articolo sarai in grado di:

  • Learn the core concepts of web application security
  • Explore common web app vulnerabilities/exploits
  • Understand common methods of threat mitigation

Argomenti correlati

What is a Data Breach?

Man-In-The-Middle Attack

Buffer Overflow

SQL Injection

Why Use HTTPS?

What is Web Application Security?

Web Application Security

Web application security is a central component of any web-based business. The global nature of the Internet exposes web properties to attack from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications and web services such as APIs.

What are common web app security vulnerabilities?

Attacks against web apps range from targeted database manipulation to large-scale network disruption. Let’s explore some of the common methods of attack or “vectors” commonly exploited.

  • Cross site scripting (XSS) - XSS is a vulnerability that allows an attacker to inject client-side scripts into a webpage in order to access important information directly, impersonate the user, or trick the user into revealing important information.
  • SQL injection (SQi) - SQi is a method by which an attacker exploits vulnerabilities in the way a database executes search queries. Attackers use SQi to gain access to unauthorized information, modify or create new user permissions, or otherwise manipulate or destroy sensitive data.
  • Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks - Through a variety of vectors, attackers are able to overload a targeted server or its surrounding infrastructure with different types of attack traffic. When a server is no longer able to effectively process incoming requests, it begins to behave sluggishly and eventually deny service to incoming requests from legitimate users.
  • Memory corruption - Memory corruption occurs when a location in memory is unintentionally modified, resulting in the potential for unexpected behavior in the software. Bad actors will attempt to sniff out and exploit memory corruption through exploits such as code injections or buffer overflow attacks.
  • Buffer overflow - Buffer overflow is an anomaly that occurs when software writing data to a defined space in memory known as a buffer. Overflowing the buffer’s capacity results in adjacent memory locations being overwritten with data. This behavior can be exploited to inject malicious code into memory, potentially creating a vulnerability in the targeted machine.
  • Cross-site request forgery (CSRF) - Cross site request forgery involves tricking a victim into making a request that utilizes their authentication or authorization. By leveraging the account privileges of a user, an attacker is able to send a request masquerading as the user. Once a user’s account has been compromised, the attacker can exfiltrate, destroy or modify important information. Highly privileged accounts such as administrators or executives are commonly targeted.
  • Data breach - Different than specific attack vectors, a data breach is a general term referring to the release of sensitive or confidential information, and can occur through malicious actions or by mistake. The scope of what is considered a data breach is fairly wide, and may consist of a few highly valuable records all the way up to millions of exposed user accounts.

What are the best practices to mitigate vulnerabilities?

Important steps in protecting web apps from exploitation include using up-to-date encryption, requiring proper authentication, continuously patching discovered vulnerabilities, and having good software development hygiene. The reality is that clever attackers may be able to find vulnerabilities even in a fairly robust security environment, and a holistic security strategy is recommended.

Web application security can be improved by protecting against DDoS, Application Layer and DNS attacks:

WAF - Protected against Application Layer attacks

A web application firewall or WAF helps protect a web application against malicious HTTP traffic. By placing a filtration barrier between the targeted server and the attacker, the WAF is able to protect against attacks like cross site forgery, cross site scripting and SQL injection. Learn more about Cloudflare’s WAF.

DDOS How A WAF Works

DDoS mitigation

A Commonly used method for disrupting a web application is the use of distributed denial-of-service or DDoS attacks. Cloudflare mitigates DDoS attacks through a variety of strategies including dropping volumetric attack traffic at our edge, and using our Anycast network to properly route legitimate requests without a loss of service. Learn how Cloudflare can help you can protect a web property from DDoS attack.

DNS Amplification DDoS attack animation

DNS Security - DNSSEC protection

The domain name system or DNS is the phonebook of the Internet and represents the way in which an Internet tool such as a web browser looks up the correct server. Bad actors will attempt to hijack this DNS request process through DNS cache poisoning, man-in-the-middle attacks and other methods of interfering with the DNS lookup lifecycle. If DNS is the phonebook of the Internet, then DNSSEC is unspoofable caller ID. Explore how you can protect a DNS lookup using Cloudflare.

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.