Web attack types

Web attacks can be divided into two basic categories

  • Those related to technical flaws (control weaknesses, lack of rigor in the developments, cryptographic weaknesses…)
  • Those related to logical flaws (weaknesses in the business logic of the web application)

There are many types of flaws and different attacks to exploit them. Attacks can also be combined.
The direct consequences of an attack generally fall into the following broad categories:

  • Illegal access to certain data (theft)
  • Loss or modification of data
  • Ilegal access to some functions of the web application
  • Execution of some actions on the website on behalf of other users
  • Malware installation
  • Web Server takeover (and more)

With some more efforts, attackers can perform some pivots and in the end gain control over the company’s internal servers, even if the website is not hosted on the internal network of the company.
The vast majority of these attacks can either be invisible or be quickly spotted, stay active or be stealthy.

The impact for the company

A web application attack can impact both the company and the website users (clients, consumers, employees).

The exact impact will depend on the context and on the activity of the company, but here are a few broad categories in which these consequences can be divided:

– Brand damage (bad publicity by public announcement of the attack, of degradation of the corporate website)
– Loss of confidence of users/clients
– Theft of customers (due to a data theft of consumers redirection)
– Direct financial loss (e.g. due to a logic bypass, access to financial data or service interruption)
– Legal sanctions
– Web ranking loss

As it relates to users themselves, risks are also numerous:

  • Identity theft (both on the Internet and in the “real world”)
  • Personal data theft, including banking data and email
  • Financial loss
  • Web browser takeover
  • Unintentional execution of some actions on the website
  • Connection to a zombie network (botnet)
  • Malware

Legal consequences of a web attack, for the company

Some legal experts will certainly be in a best position to explain what the risks and liability limitations are. In addition, responsibilities and implications vary country by country.

Let’s take the example of France, and let’s have a look at what the CNIL (National Commission on Informatics and Liberty) says in terms of personal data on its website:
The first article related to data security refers to Article 226-17 of the Penal Code, which itself refers to the article 34. This article tells us that the person in charge of the treatment, given the nature of the data and risks presented by the processing, must take all necessary precautions to preserve data security and to prevent them from being altered, damaged or that unauthorized parties access it.
Missing these obligations is punishable by five years imprisonment and a fine of € 300,000.

At a European level, Directive 2013-40/EU of 14 August 2013 (link here) explains the liability of the legal person in charge of a hacked website: “Appropriate levels of protection should be provided against reasonably identifiable threats and vulnerabilities”

Each case being different, the legal consequences will of course depend on the exact incident, and on complaints.
When you know that 80% of websites suffers from at least one major security breach, it sends shivers up your spine!

To end on a positive note, let’s says that it’s possible to improve the situation!

  • By teaching security to web developers, so that security becomes integrated into applications, from the beginning, and not just be a layer that is added afterwards.
  • By making regular penetration tests, code reviews, workflow reviews, and by installing appropriate updates on servers/applications/libraries.