Here are the common website security vulnerabilities and threats:
* SQL Injections
SQL injection attacks are done by injecting malicious code in a vulnerable SQL query. They rely on an attacker adding a specially crafted request within the message sent by the website to the database.
A successful attack will alter the database query in such a way that it will return the information desired by the attacker, instead of the information the website expected. SQL injections can even modify or add malicious information to the database.
* Cross-site Scripting (XSS)
Cross-site scripting attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.
The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker when loading the page. If a logged in site administrator loads the code, the script will be executed with their level of privilege, which could potentially lead to site takeover.
* Credential Brute Force Attacks
Gaining access to a website’s admin area, control panel or even to the SFTP server is one of the most common vectors used to compromise websites. The process is very simple; the attackers basically program a script to try multiple combinations of usernames and passwords until it finds one that works.
Once access is granted, attackers can launch a variety of malicious activities, from spam campaigns to coin-miners and credit card stealers.
* Website Malware Infections & Attacks
Using some of the previous security issues as a means to gain unauthorized access to a website, attackers can then:
Inject SEO spam on the page
Drop a backdoor to maintain access
Collect visitor information or credit card data
Run exploits on the server to escalate access level
Use visitors’ computers to mine cryptocurrencies
Store botnets command & control scripts
Show unwanted ads, redirect visitors to scam sites
Host malicious downloads
Launch attacks against other sites
* DoS/DDoS Attacks
A Distributed Denial of Service (DDoS) attack is a non-intrusive internet attack. It is made to take down the targeted website or slow it down by flooding the network, server or application with fake traffic.
DDoS attacks are threats that website owners must familiarize themselves with as they are a critical piece of the security landscape. When a DDoS attack targets a vulnerable resource-intensive endpoint, even a tiny amount of traffic is enough for the attack to be successful.
The attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality.